Kusserow on Compliance: DOJ issues 2020 compliance program guidelines

Provides a more in-depth analysis of compliance programs

The DOJ released the updated Evaluation of Corporate Compliance Programs to assist prosecutors in making an informed analysis about an organization’s compliance program at the time of charging decisions. It has not changed much from the prior releases that included a list of 119 compliance-related questions. The new guidance continues to focus on three core questions derived from the Justice Manual, namely,  whether a compliance program is “well designed,” “being applied earnestly and in good faith,” and “works in practice.” It restates the importance of having a compliance program suitable for the company’s risk profile but added context and detail for companies to ensure that their compliance priorities are aligned with the DOJ’s expectations.

These include: (1) the importance of having an evolving, dynamic program; (2) the need for the compliance function to engage with company employees; (3) ensuring the program is thoughtful and responsive to the company’s context; and (4) the importance of adequate compliance resources and empowerment of the compliance function. Additional attention is given to these principles for companies to enhance their compliance program and adhere to best practices that would best position themselves in the event of an inquiry or enforcement action from a government regulator. It reflects the continued expectation that a compliance program should continue to evolve and improve over time as the business changes and the compliance function matures. Meaningful risk assessments and program evaluations are critical to this end. There is added language asking prosecutors to assess “why and how the company’s compliance program has evolved over time” and “has the periodic review led to updates in policies, procedures, and controls?”

The DOJ has continued to move away from the antiquated model of a generic, “off-the-shelf” compliance program and focus more on how an organization acts in response to risk assessments. Other questions include whether the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior identified issues or from those of other companies operating in the same industry and/or geographical region. The DOJ asks about effective monitoring of compliance and whether a company’s compliance program has continuous access to operational data and information across functions. The DOJ underscores, once again, the importance of having regular reviews of the compliance program; and make it clear that this should not be “cookie cutter” “check the box” type reviews. These reviews should lead to useful findings that result in meaningful changes and improvements. Greater emphasis is also given to the adequacy of compliance resources, quality of trained staff, and empowerment for the program. The importance of oversight of any third-party agents that act on a company’s behalf is stressed, including whether the company engages in risk management of third parties throughout the lifespan of the relationship. The questions include whether the company completed pre-ad post-acquisition due diligence; and a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.

The guidance asks whether the company tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees; and if the policies have been published in a searchable format for easy access and reference. Employee training received new attention, suggesting companies consider the format of their trainings to be more responsive, including by: (1) investing in shorter, more targeted training sessions, and (2) ensuring a process by which employees can ask questions arising out of the training. In addition, there is the question as to the extent to which the training has an impact on employee behavior or operations. With regards to the hotlines, the guidance had added language to ensure that the hotline is an accessible, responsive tool, whether the company test whether employees are aware of the hotline and feel comfortable using it, and if reports are tracked from inception to finish.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Continued confusion regarding the CMS preclusion list

Those on list are prohibited from MA Plans or Part D Sponsors payment

Questions continue arise concerning the CMS Preclusion List final rule. The Preclusion List is a list generated by CMS that contains the names of prescribers, individuals, and entities that are unable to receive payment for Medicare Advantage (MA) items and service and or Part D drugs prescribed or provided to Medicare beneficiaries. The rule mandates Part D sponsors, or their pharmacy benefit managers, to screen against the Preclusion List and reject any pharmacy claim prescribed by an individual or entity on it. MA plans must deny payment for a health care item or service furnished by an individual or entity on the list. Plans and sponsors must also notify impacted beneficiaries who received care or a prescription from a provider on the Preclusion List in the last twelve months. The list includes those who are currently revoked from Medicare, are under an active reenrollment bar, and whose underlying conduct CMS has determined to be detrimental to the Medicare program; or have engaged in behavior for which CMS could have revoked the prescriber and determined the underlying conduct would have led to the revocation. Such conduct includes, but is not limited to: felony convictions and OIG exclusions. CMS indicated that individuals or entities appearing on the List of Excluded Individuals/Entities (LEIE) and/or the System for Award Management (SAM) list would also be placed on the Preclusion List.

MA plans and Part D sponsors are required to access the list through an Enterprise Identity Data Management (EIDM) account with CMS. The list is updated monthly.  The causes for most of the confusion is that only plans approved by CMS are granted access to the Preclusion List. As a result, many if not most, organizations use a vendor for sanction screening services. However, the vendors are not always given access to the List.  The way around this obstacle has been for Plans to give their vendor the list and have them include it in their screening services. Another point of confusion is that technically, it is not a sanction list. It includes many parties who have not been formally sanctioned to be included on the OIG LEIE, although many on the list are also on the LEIE.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Questions concerning compliance outsourcing

One of the most significant recent trends has been the movement towards outsourcing as many functions as possible that are not directly involved in a business’s core activities. The two most prevalent motivations for outsourcing are cost savings and gaining expertise. For most, there are many questions regarding this practice in the compliance arena.

WHY? Today, many pieces of compliance offices are routinely outsourced to enable the compliance office to focus on the core elements of the program. Among the common outsourced functions to vendors are hotlines, sanction screening services, and training programs. In some cases, the reason to seek expert assistance arises upon departure that creates a gap where assistance is needed until a replacement can be hired. Also, an existing compliance program may need supplemental assistance to deal with added responsibilities, such as HIPAA Privacy/Security Officer support.

WHEN? Often the decision is made when there are identified weaknesses or gaps in operations, such as a vacancy in compliance, privacy and security officers. In other cases, it may be the need for quick fixes as result of government intervention, such as settlement mandates.

WHERE? Where do you find necessary compliance expertise to engage? The easiest starting point is checking the internet to find professional journal articles on the subject. This can provide additional insights into the subject, as well as identify experts on the subject. Also, an Internet search can identify firms that may provide the needed service.

WHO? Who are some of these experts that can fill gaps or supplement compliance programs that have built, assessed, and managed effective compliance programs? They are individuals with hands on experience in multiple circumstances and settings that make them an expert.The following are examples of experts with extensive compliance program consulting experience, as well as having served in multiple compliance officer roles:

  • Cornelia Dorfschmid, Phd, over 20 years of health care consulting experience with service on multiple occasions as designated/interim compliance officer with hospital systems and physician practices.
  • Steve Forman, CPA, 12 years as a health care consultant; 10 years as VP for Audit/Compliance at a hospital system; and multiple service as interim/designated compliance officer.
  • Suzanne Castaldo, JD, CHC, experienced consultant who served as interim/designated compliance officer several times
  • Thomas E. Herrmann, JD, 20 years with the Office of General Counsel to the IG; 6 years as Appellate Judge for the Medicare Appeal Council; and 5 years as a compliance consultant and multiple service as interim/designated compliance officer

HOW? How can an organization use compliance experts to best advantage? There are a lot of benefits in using qualified experts, but key in investing in hiring them is to bring an optimum return of benefit for the cost by ensuring a lot of added value. In addition to day-to-day management, consider including some of the following:

  1. Examine the program to confirm strengths, and identifying opportunities for improvement
  2. Conduct an independent evaluation of the program for senior management and board
  3. Review the Code and other written guidance
  4. Evaluate quality and effectiveness of compliance training
  5. Assess high-risk areas that warrant attention
  6. Assess resources needed to effectively operate the compliance program
  7. Have them identify and build metrics evidencing compliance program effectiveness
  8. Use them to assist in identification and evaluation of candidates for the permanent position
  9. Provide a “road map” for incoming compliance officer to follow

WHAT? What is the level of effort needed to use compliance experts in compliance programs?  For even large organizations, a true compliance expert can hold things together for several months without having to be full time on site. Most organizations can keep their compliance program efficiently using an expert for 50 to 80 hours per month for up to 6 months, before it becomes critical to have a permanent compliance officer put in place. For smaller organizations and most physician practices, the number of hours is often half that rate. With current technology and communication, not all hours need to be on site; however, the key is to have the expert on call and available to address any emergent issues. It is worth noting that the OIG has accepted the fact that for smaller organizations, it may make sense to engage a qualified expert as the Designated Compliance Officer. The OIG cites many reasons an organization may consider using an outside expert, instead of a W-2 full time employee.

For more information on this topic, contact Suzanne Castaldo, JD at scastaldo@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips for reducing the risk of cyber-attacks

Tim Murphy, former FBI deputy director stated that he rated cyber-attacks as the number one threat facing the country. Threats come from both inside organizations and outside. Insider threats may involve current or former employees or vendors. They may be motivated to steal intellectual property, funds, or simply to cause problems. The danger of employee-related crimes is that they have inside information concerning how things work and have access to data and computer systems. One of the best ways to combat attacks by insiders is to maintain a continuous monitoring of an individual’s public, online activity as well as the internal, network activity to detect changes in behavior. Often, cyber-attackers have patterns of detectable behavior and network activity which can provide indicators of risk, assist in early detection. It is important to know at any given time what are employees doing on the network; who are they dealing with; if they are leaving with data and files; and whether they are violating policy by sharing sensitive information with outsiders. Employee engagement in careless practice is far more common than engagement in malicious practice. Oftentimes carelessness takes the form of simple negligence by clicking on a link in a random email. However, there are ways to mitigate the threats, which can reduce the risk of cyber-attacks by as much as 80 percent, including:

  1. Provide ongoing employee and contractor training on what to do and not to do
  2. Conduct a risk assessment to understand threats presented by an insider
  3. Continuously monitor employee and vendor networks
  4. Update and upgrade software
  5. Use encryption to guard against information being read by unauthorized parties
  6. Establish multi-factor authentication

For more information health care provider cyber-security, contact Dr. Cornelia Dorfschmid at cdorfschmid@strategicm.com or at (703) 535-1419.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.