Kusserow on Compliance: Conducting compliance risk assessments

The issue of conducting compliance risk assessments continues to be a challenge for Compliance Officers. In the SAI Global’s ninth annual Compliance Benchmark Survey conducted with Strategic Management Services, nearly four out of ten responding organizations reported that the Compliance Office had responsibility for all risk management, not just for the compliance program.  As with all program managers, Compliance Officers have responsibility for risk management in the areas of their areas of responsibilities. This includes conducting risk assessments as part of ongoing monitoring.  However, there remains a lot of confusion among compliance officers and organizations regarding the whole subject. However, regardless of who assumes the responsibility for assessing risk areas, the subject should begin with how regulatory bodies define risk assessment.

Defining risk assessment 

Federal Regulations. (e) Annual review. The operating organization for each facility must review its compliance and ethics program annually and revise its program as needed to reflect changes in all applicable laws or regulations and within the operating organization and its facilities to improve its performance in deterring, reducing, and detecting violations under the Act and in promoting quality of care  (see 42 C.F.R. 483.85).

US Sentencing Commission Guidelines Manual. 2(a)(5) The organization shall take reasonable steps—(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program (§8B2.1 Nov. 2016).

OIG Compliance Guidance Documents.  The OIG has in a variety of compliance guidance documents called for compliance risk assessments. For example, in their Compliance Guidance for Nursing Faculties they “recommend that all nursing facilities evaluate their current compliance policies and procedures by conducting a baseline assessment of risk areas, as well as subsequent reevaluations. . .” How a nursing facility assesses its compliance program performance is therefore integral to its success. The attributes of each individual element of a compliance program must be evaluated in order to assess the program’s ‘‘effectiveness’’ as a whole. Examining the comprehensiveness of policies and procedures implemented to satisfy these elements is merely the first step. Evaluating how a compliance program performs during the provider’s day-to-day operations becomes the critical indicator.

When conducting a risk assessment it is necessary to determine the objectives. The following relates to ideas and tips concerning compliance program risk assessment.

Compliance program risk assessment objectives

  • Verify all the elements of the compliance program have been implemented
  • Determine whether all the elements are functioning as planned
  • Evaluate the documentation evidencing effectiveness of the program
  • Identify compliance program strengths, as well as areas warranting improvement
  • Develop a work plan to measure program improvements and address any weaknesses

Questions to ask about compliance risk areas

  • Were levels of risk and vulnerabilities assigned?
  • Is there an annual work plan to address identified high-risk areas?
  • Are their internal controls and policies addressing high-risk areas?
  • Are policies periodically reviewed and updated?
  • Do policies address applicable regulations, recent OIG Work Plans, etc?
  • Were compliance-related policies distributed to all covered persons?
  • Is there a Code of Conduct that provides compliance guidelines for employees?
  • Do employees signed receipt evidencing receipt of Code of Conduct?
  • What evidence is there that employees were trained on the Code and policies?
  • What evidence exist that employees understood and remembered lessons?

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Nine tips for compliance officers—addressing high-risk areas

Carrie Kusserow is an expert on conducting compliance risk assessments and has been called upon by compliance officers to meet their challenge of addressing the numerous compliance high-risk areas. She notes that there are more than 40 high-risk areas identified by the OIG in its Compliance Guidance for hospitals. Guidance for other health care sectors has a similar set of compliance high-risk areas and the number of identified compliance risk areas continues to grow every year. To meet this challenge, compliance officers must stress to program managers their ongoing monitoring responsibility to identify and manage compliance risks within their areas of operations. This includes keeping informed of current rules and regulations; ensuring changes are incorporated into policies and procedures; training staff on following that written guidance; and verifying staff adherence to new policies. Ongoing auditing of operational high-risk areas has two primary objectives, including verifying that managers meet their obligations, and validating that the process achieves the desired outcomes. Audits need to be conducted by parties independent of the operational areas being audited, and may include compliance office staff, internal audit, outsider consultants and auditors, or any combination thereof. She offered the following tips for consideration by compliance officers:

 

  1. Work with management to identify operational high-risk compliance areas as set forth in the OIG Work Plans, Fraud Alerts, Advisory Opinions, audits, and enforcement priorities and in Medicare contractor activities, industry news, PERM reports, and PEPPER data.

 

  1. Implement specialized training programs for program managers on what they need to do to meet their ongoing monitoring of high-risk areas in their operational area.

 

  1. Ensure that program managers have identified and listed all compliance high-risks areas related to their operational areas; have developed/implemented monitoring plans for identified risk areas as part of meeting their ongoing monitoring responsibilities. This includes testing and reviewing adequacy of the internal controls (e.g. policies/procedures) to reduce likelihood of that an unwanted event will occur in high risk areas.

 

  1. Rank high-risk areas in terms of vulnerability and impact or damage from a risk incident, including calculating the potential damage from a compliance risk failure, including the magnitude of direct and indirect financial and reputational consequences; and the likelihood of a compliance risk event by considering whether the area is a current enforcement priority based on risk assessment results.

 

  1. Develop and implement an audit plan based on risk assessment results, giving highest priority to the highest risk areas. The audits should test and continuously review current internal controls for adequacy in mitigating risk and reducing the chance of an unwanted risk event.

 

  1. Ensure corrective action plans have been instituted for all risk area deficiencies identified by ongoing monitoring or auditing.

 

  1. Have a follow-up review of any areas where there had been findings requiring remedial action to ensure corrective measures have been taken and are working as intended.

 

  1. Consider engaging compliance experts to independently evaluate the effectiveness of a compliance program.

 

  1. Present results of risk assessment, monitoring and auditing as regular agenda items for management and board level compliance committees.

 

For more information on compliance high-risk assessment, contact Carrie Kusserow, Strategic Management Managing Senior Consultant (703-535-1453) or at ckusserow@strategicm.com

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: HHS OIG Spring 2018 semi-annual report on sanctions and exclusions

1,678 administrative sanctions

1,588 individuals and entities excluded

$35.5 million in CMPL penalties/assessments

The OIG released its first semi-annual report for 2018 that included the number of administrative sanctions, exclusion actions taken, and CMPL penalties imposed. There were a total of 1,588 individuals and entities excluded from Medicare, Medicaid, and other Federal health care programs.  Most of the exclusions resulted from convictions for crimes relating to Medicare or Medicaid, for patient abuse or neglect, or as a result of license revocation. The OIG has a number of Administrative Sanction authorities whereby they have added steadily to the LEIE database.  In the last three years the OIG added over 10,000 exclusions to the List of Excluded Individuals and Entities (LEIE). The OIG also imposed 1,678 administrative sanctions and Civil Monetary Penalty Law penalties and assessments involving more than $35.5 million.

Comments from experts concerning sanctions

Tom Herrmann, JD, served for 20 years in the OIG Counsel’s Office, including being the Chief of the Administrative Litigation Branch, responsible for the litigation of cases involving the imposition of civil monetary penalties and program exclusions.  He explained that the OIG has been delegated the authorities to impose Civil Monetary Penalties, assessments, and program exclusion on health care providers and others determined to have engaged in defined wrongdoing. The effect of an OIG exclusion is that no payment may be made for any items or services furnished by an excluded individual or entity, or directed or prescribed by an excluded physician. In almost all instances where the OIG’s imposition of program exclusion or CMPs is appealed, it is upheld by an Administrative Law Judge (ALJ), the Departmental Appeals Board (DAB), and federal courts. As such, it is absolutely essential to have ongoing sanction-screening of anyone engaged by a health care organization.

Jillian Bower-Concepcion is another highly experienced health care compliance consultant, who has assisted scores of clients in meeting the sanction-screening obligations through the Compliance Resource Center (CRC). She notes the OIG posts their exclusions on their LEIE and calls for screening of all individuals and entities engaged by or with whom they do business against that listing. CMS has also been very aggressive in calling for sanction screening, not only of the LEIE, but Debarments posted by the GSA, as well as pressuring state Medicaid Directors to establish exclusion databases and mandate monthly screening by their enrolled providers. In order to meet screening mandates, it is almost a necessity to use a vendor search engine tools to assist in sanction-screening. This saves organizations from downloading the sanction databases of all the entities and developing their own search engine. Using a vendor for this purpose is a step in the right direction; however the bulk of the work remains with the organization to do screening and resolving potential “hits” remains with the organization. Altogether this can be a considerable effort and many organizations have to dedicate one or many employees to meet all these obligations.  Alternatively, many just outsource the entire process, including verification and certification of results to a vendor.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG cases involving sanctioned parties and tips to avoid violations

Compliance Officers must screen employees against the List of Excluded Individuals and Entities (LEIE). This is stressed in all of the OIG’s compliance guidance documents. CMS makes it a condition of participation and enrollment. The LEIE continues to change and grow with more than 3,000 exclusions added annually. Failure to screen employees, medical staff, contractors, and vendors results in a great risk. The OIG may consider claims that include work or products from a sanctioned party to be false and fraudulent. Violations can result in monetary penalties. Most cases that deal with this issue are brought to the OIG’s attention through the “Self-Disclosure Protocol.”  In all the recent cases posted, the OIG imposed penalties, but the penalties were mitigated by the fact the matters were self-disclosed—as a result, none of these cases resulted in a Corporate Integrity Agreement (CIA). The OIG posts a number of these cases on its website. The following are examples of recent actions against organizations that engaged individuals they knew or should have known were excluded from participation in the federal health care programs:

  • Southwest Trinity Management, LLC (STM), in Oklahoma paid $141,986.36 in settlement for employing an excluded licensed practical nurse that provided items or services that were billed to Federal health care programs.
  • Diamonds & Pearls Health Services, LLC (DPHS), Cleveland, Ohio paid $75,471.92 for employing an excluded individual who was a scheduling/staffing coordinator, provided items or services to DPHS patients that were billed to Federal health care programs.
  • Center for Ear, Nose Throat & Allergy, P.C. (CENTA) in Indiana, paid $51,564.14 for employing an excluded medical records file clerk, provided items or services to CENTA’s patients that were billed to Federal health care programs.
  • MHMR, Fort Worth, Texas, paid $97,869.78 for employing a program director who had been excluded to provide items or services to clients who were receiving services funded by a Medicaid waiver program.
  • Shawnee Health Services (Shawnee), Carterville, Illinois, paid $107,761.08 as result of employing an excluded individual as a case manager, provided items or services to clients that were receiving services under a Medicaid waiver program.
  • Arkansas Department of Health (ADH) paid $39,343.61 as result of employing an excluded hospice social worker that provided items or services to patients of a community based hospice operated by ADH.
  • Century Pharmacy (Century), Brooklyn, New York, paid $10,000 for an employed excluded individual, who assisted in filling prescriptions in addition to performing other clerical tasks, provided items or services to Century patients that were billed to Federal health care programs.
  • Sundance Behavioral Healthcare System (Sundance), Texas, paid $49,183.48 for an employed sanctioned licensed vocational nurse that provided items or services to patients that were billed to Federal health care programs.
  • ASAP Professional Home Health (ASAP), Houston, Texas, paid $21,797.76 for an employed excluded attendant, provided items or services to ASAP patients that were billed to Federal health care programs.

Practical Screening Tips

  1. Ensure periodic sanction screening of employees, medical staff, contractors, and vendors against the LEIE—best practice is monthly screening.
  2. Inasmuch as most states have developed their own exclusion database, with many states mandating monthly screenings, care should be taken to understand and meet state screening requirements.
  3. Inasmuch as most LEIE exclusions arise from another underlying court, state agency, or licensure board action, it is advisable to also conduct background checks and seek written assurances in applications that prospective employees, contractors, and vendors have not been subject to any prior court or licensure board actions.
  4. It is common for individuals that may be the subject of an investigation, but not yet sanctioned with final actions, to be under investigation for considerable time, therefore it is a best practice to require as a condition of employment, gaining staff privileges, or engagement for the applicant to attest that they have not been, nor are they now, the subject of an investigation by any duly authorized regulatory or enforcement agency. It is also advisable to add a condition that they must promptly report any notice of investigation that involves them.
  5. Educate and inform management and employees on their obligation to promptly report any notification of an adverse action by any duly authorized regulatory or enforcement agency.

Daniel Peake of the Compliance Resource Center (CRC) works with many organizations in ensuring proper sanction screening and from that experience offers a number of practical tips to avoid creating an actionable violation.  He can be reached at dpeake@strategicm.com or (703) 236-9850.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.