Kusserow on Compliance: Questions concerning compliance outsourcing

One of the most significant recent trends has been the movement towards outsourcing as many functions as possible that are not directly involved in a business’s core activities. The two most prevalent motivations for outsourcing are cost savings and gaining expertise. For most, there are many questions regarding this practice in the compliance arena.

WHY? Today, many pieces of compliance offices are routinely outsourced to enable the compliance office to focus on the core elements of the program. Among the common outsourced functions to vendors are hotlines, sanction screening services, and training programs. In some cases, the reason to seek expert assistance arises upon departure that creates a gap where assistance is needed until a replacement can be hired. Also, an existing compliance program may need supplemental assistance to deal with added responsibilities, such as HIPAA Privacy/Security Officer support.

WHEN? Often the decision is made when there are identified weaknesses or gaps in operations, such as a vacancy in compliance, privacy and security officers. In other cases, it may be the need for quick fixes as result of government intervention, such as settlement mandates.

WHERE? Where do you find necessary compliance expertise to engage? The easiest starting point is checking the internet to find professional journal articles on the subject. This can provide additional insights into the subject, as well as identify experts on the subject. Also, an Internet search can identify firms that may provide the needed service.

WHO? Who are some of these experts that can fill gaps or supplement compliance programs that have built, assessed, and managed effective compliance programs? They are individuals with hands on experience in multiple circumstances and settings that make them an expert.The following are examples of experts with extensive compliance program consulting experience, as well as having served in multiple compliance officer roles:

  • Cornelia Dorfschmid, Phd, over 20 years of health care consulting experience with service on multiple occasions as designated/interim compliance officer with hospital systems and physician practices.
  • Steve Forman, CPA, 12 years as a health care consultant; 10 years as VP for Audit/Compliance at a hospital system; and multiple service as interim/designated compliance officer.
  • Suzanne Castaldo, JD, CHC, experienced consultant who served as interim/designated compliance officer several times
  • Thomas E. Herrmann, JD, 20 years with the Office of General Counsel to the IG; 6 years as Appellate Judge for the Medicare Appeal Council; and 5 years as a compliance consultant and multiple service as interim/designated compliance officer

HOW? How can an organization use compliance experts to best advantage? There are a lot of benefits in using qualified experts, but key in investing in hiring them is to bring an optimum return of benefit for the cost by ensuring a lot of added value. In addition to day-to-day management, consider including some of the following:

  1. Examine the program to confirm strengths, and identifying opportunities for improvement
  2. Conduct an independent evaluation of the program for senior management and board
  3. Review the Code and other written guidance
  4. Evaluate quality and effectiveness of compliance training
  5. Assess high-risk areas that warrant attention
  6. Assess resources needed to effectively operate the compliance program
  7. Have them identify and build metrics evidencing compliance program effectiveness
  8. Use them to assist in identification and evaluation of candidates for the permanent position
  9. Provide a “road map” for incoming compliance officer to follow

WHAT? What is the level of effort needed to use compliance experts in compliance programs?  For even large organizations, a true compliance expert can hold things together for several months without having to be full time on site. Most organizations can keep their compliance program efficiently using an expert for 50 to 80 hours per month for up to 6 months, before it becomes critical to have a permanent compliance officer put in place. For smaller organizations and most physician practices, the number of hours is often half that rate. With current technology and communication, not all hours need to be on site; however, the key is to have the expert on call and available to address any emergent issues. It is worth noting that the OIG has accepted the fact that for smaller organizations, it may make sense to engage a qualified expert as the Designated Compliance Officer. The OIG cites many reasons an organization may consider using an outside expert, instead of a W-2 full time employee.

For more information on this topic, contact Suzanne Castaldo, JD at scastaldo@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips for reducing the risk of cyber-attacks

Tim Murphy, former FBI deputy director stated that he rated cyber-attacks as the number one threat facing the country. Threats come from both inside organizations and outside. Insider threats may involve current or former employees or vendors. They may be motivated to steal intellectual property, funds, or simply to cause problems. The danger of employee-related crimes is that they have inside information concerning how things work and have access to data and computer systems. One of the best ways to combat attacks by insiders is to maintain a continuous monitoring of an individual’s public, online activity as well as the internal, network activity to detect changes in behavior. Often, cyber-attackers have patterns of detectable behavior and network activity which can provide indicators of risk, assist in early detection. It is important to know at any given time what are employees doing on the network; who are they dealing with; if they are leaving with data and files; and whether they are violating policy by sharing sensitive information with outsiders. Employee engagement in careless practice is far more common than engagement in malicious practice. Oftentimes carelessness takes the form of simple negligence by clicking on a link in a random email. However, there are ways to mitigate the threats, which can reduce the risk of cyber-attacks by as much as 80 percent, including:

  1. Provide ongoing employee and contractor training on what to do and not to do
  2. Conduct a risk assessment to understand threats presented by an insider
  3. Continuously monitor employee and vendor networks
  4. Update and upgrade software
  5. Use encryption to guard against information being read by unauthorized parties
  6. Establish multi-factor authentication

For more information health care provider cyber-security, contact Dr. Cornelia Dorfschmid at cdorfschmid@strategicm.com or at (703) 535-1419.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Extending limited compliance resources

Co-Sourcing and On-Call Experts

Health care organization seek the most efficient and effective means to meet the great challenges of maintaining an effective compliance program in the ever-changing regulatory and enforcement environment. As compliance officers seek ways to supplement their limited in-house resources, Co-Sourcing has been evolving as preferred method when internal resourcing is lacking and out-sourcing the program to expert firms to provide a Designated Compliance Officer. Co-Sourcing involves using vendor expert services to supplement limited staff resources to carry out part of their workload. One of the most common Co-Sourcing methods is to engage firm with compliance experts on a “on-call” engagement agreement. This would permit using the experts only when and as needed, while maintaining control and direction of the program. This approach is also recognized by the OIG as a useful solution where an organization is limited in its compliance expertise and resources.

 

Co-Sourcing Benefits

  • Gains immediate access to specialized resources and experts not available internally
  • Less expensive to hire experts for limited services, than to hire full new full-time staff
  • Addresses the problem of an unexpected loss of staff and resulting resource issues
  • Brings the benefit of experience with other organizations
  • Provides subject matter expertise
  • Fills any lack of in-house expertise in selected areas
  • Facilitates meeting the ebb and flow of managing all the compliance obligations
  • Keeps organizations current with ever-changing regulatory and enforcement challenges
  • Accesses needed services, on-demand
  • Can be tasked to complete special projects
  • Fills a knowledge gap in training, fraud risk assessment, or other compliance-related needs
  • Meets obligations across multiple facilities in different jurisdictions
  • Develops best practice solutions to problems identified
  • Provides benchmarks of current processes against compliance standards
  • Implements or improves compliance effectiveness metrics
  • Quickly address new regulatory and emerging risks
  • Promptly and efficiently meets new leadership demands
  • Implements best practice standards and processes
  • Provides any sudden need for investigative or forensic expertise
  • Evaluates ongoing monitoring of compliance high risk areas
  • Assists in development of compliance work plans
  • Enables compliance officers to stay focused on program management and strategic planning
  • Increases flexibility in using experts who understand related laws/regulatory requirements
  • Performs operational and compliance auditing

For more information on how Co-Sourcing arrangements can work, contact Kashish Parikh-Chopra, JD at kchopra@strategicm.com or  (703) 535-1413.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Questions board-level compliance committees should be asking

HHS OIG compliance guidance calls for a Board-level committee to oversee the Compliance Program (CP). The HHS Inspector General noted that the best boards are those that are active, questioning, and exercise (constructive) skepticism in their oversight, asking probing questions about the compliance program. Boards need to know what type of questions they should be asking, and compliance officers should assist them with this problem. However, compliance officers in turn should be prepared to provide full and complete answers to them. The OIG and American Health Lawyers Association developed specific suggested questions that Board’s should be asking in their jointly produced “Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors” and “Corporate Responsibility and Health Care Quality (2007): A Resource for Health Care Boards of Directors”. The following are drawn from these advisory documents:

  1. Does the compliance officer have sufficient authority to implement the CP?
  2. What is the level of resources necessary to properly implement and operate the CP?
  3. Has the compliance officer been given the sufficient resources to carry out the mission?
  4. Have compliance-related responsibilities been delegated across all levels of management?
  5. What evidence is there that all employees are held equally accountable for compliance?
  6. How has the code been incorporated into corporate policies across the organization?
  7. What evidence is there that the code is understood and accepted across organization?
  8. Has management taken affirmative steps to publicize importance of code to employees?
  9. Have compliance-related policies been developed that address compliance risk areas?
  10. Are there policies/procedures for CP operation and how they should be reviewed/updated?
  11. What kind of document management ensures compliance-related documents are up to date?
  12. What is the scope of compliance-related education and training?
  13. What evidence is there of the effectiveness of CP training?
  14. What measures enforce training mandates and provide remedial training?
  15. What evidence is available that employees understand compliance expectations?
  16. How are compliance risks identified?
  17. What is the evidence that identified compliance risks are being addressed?
  18. Is the board being kept up to date on regulatory and industry compliance risks?
  19. How is the compliance program structured to address such risks?
  20. How are “at risk” operations assessed from a compliance perspective?
  21. Is conformance with the CP periodically evaluated?
  22. Does the CP undergo periodical independent evaluation of its effectiveness?
  23. What is the process for the evaluation and responding to suspected compliance violations?
  24. What kind of training is provided to those who conduct investigation of reported violations?
  25. How do the CO, HRM, and legal counsel coordinate in resolving compliance issues?
  26. What are the policies to ensure preservation of relevant CP documents and information?
  27. What policies address protection of “whistleblowers” and those accused of misconduct?
  28. What are the results of ongoing compliance monitoring by all program managers?
  29. How is ongoing compliance auditing being performed and by whom?
  30. How often is sanction-screening conducted and with what results?
  31. Are results from sanction-screening included in a signed report by the responsible parties?
  32. Has the CP been evaluated for effectiveness by a qualified independent reviewer?
  33. What evidence regarding effectiveness of hotline operation and follow-up investigations?
  34. What are the metrics being used to evidence CP effectiveness?
  35. What are the results of an independent review and assessment of the CP?

 

More information regarding available tools and resources available to assist in answering these questions, contact Daniel Peake at (dpeake@complianceresource.com) (703-236-9854).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.