Kusserow on Compliance: Engaging experts to supplement and assist compliance offices

Most compliance offices are swamped with work. Sometimes it is a periodic rush to meet some urgency, while at other times there is just too much to be done with too little to meet all challenges in the ever-changing regulatory and enforcement environment. There are three broad ways to handle the load: (1) insource, so that all compliance office work is handled in-house, using consultants only occasionally for advisory services or evaluation of the compliance program; (2) outsource the compliance program to designated or interim compliance officers as a temporary solution for maintaining continuity, using an expert to be the interim compliance officer; or (3) cosource by using on-call experts to supplement the compliance office with specific duties or assignments.

Suzanne Castaldo, J.D., an expert on the subject, notes that many smaller organizations cannot justify the cost and burdens of supporting the program in-house and outsource it entirely to a designated compliance officer, who most often is a part-time engaged expert. The HHS Office of the Inspector General (OIG) recognized the use of designated compliance officers who may serve in that capacity for several organizations. Taking this approach should entail engaging experts on a part-time basis. If a full-time person can be afforded, then using this approach doesn’t make sense. The benefits include bringing the experience of many organizations to the entity that could ill afford to develop in-house.

Kashish Chopra, J.D., MBA, CHC, has served as an interim compliance officer and makes the point that in this day and age, with such a rapidly evolving regulatory and enforcement environment, health care organizations cannot afford to take the chance on having a gap in the compliance office. Having an expert on a short-term engagement can take over the reins of the program while a permanent replacement is found.

Jillian Bower, a highly experienced consultant has been instrumental in providing supplemental support to compliance officers. She noted that cosourcing has evolved as a “middle ground” between insourcing and outsourcing and has also been recognized by the OIG as a useful solution when expertise and resources are limited. It involves using experts on an ongoing basis to supplement limited staff resources to carry out part of their workload. It offers the advantage of the compliance officer maintaining control and direction of the program. Cosourcing can help bridge the gap in a manner that does not compromise the flexibility to easily return to a position where the Compliance Office can reassume full operation and end cosourcing at any time, when staffing issues are resolved. It is hiring piecemeal as needed. Common cosourcing may be using a consultant as a HIPAA privacy and/or security officer, conducting ongoing monitoring/auditing, performing enterprise risk management/analysis, engaging a statistical data claims analyst expert to determine error rates, hotline operations management, compliance investigations/training, reviewing arrangements with referral sources, and managing the sanction screening operations.

The fact is that there are options for consideration when a compliance program is being stretched beyond its capability to meet challenges or where a gap takes place among key compliance staff.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips for getting the most from your CIA

This was the title of a section in a presentation by Laura Ellis, HHS Office of Inspector General (OIG) Senior Counsel, at the recent Health Care Compliance Association (HCCA) Compliance Institute, where she explained that the settlement process is very lengthy, and that compliance officers should spend that time period preparing for what is to come. Even before matters are referred to the OIG for settlement negotiations, the matter will have been with the Department of Justice (DOJ) for a long time.  It is only after the DOJ turns matters over to the OIG that the agency determines whether or not a corporate integrity agreement (CIA) is necessary, and if so, what terms and condition should be included in the agreement.  Ellis stated that negotiations with the OIG may take up to a year before a CIA emerges.   It is during this rather long lead-up period that the compliance officer should be very busy preparing for what is to come.  Ellis offered a number of suggestions for the compliance officer to follow while this process is underway, including:

Thomas Herrmann, J.D., was previously responsible for negotiating CIAs on behalf of the OIG and in providing monitors with a number of years’ consulting experience, working with more than a dozen clients with CIAs and as an Independent Review Organization (IRO). He agreed with the Ellis statement about the long lead time before a CIA is signed, and that the compliance officer should not waste that valuable time.  Once executed, the clock begins ticking and a lot has to be accomplished in a relatively short time.   Among the most important tasks needing immediate attention is finding and vetting potential outside experts to be the IRO and, in some cases, compliance experts for the Board and quality monitors. The responsibility for selecting these experts lies with the organization, not the OIG.  This may take a lot of time and warrants serious consideration as in all likelihood, the organization will have them for five years.  A mistake in selection will come back to haunt the organization and may aggravate matters with the OIG.  The compliance officer should be very much involved in finding and selecting the right experts with the right expertise.   The more experience the firm selected has in performing this type of work, the less likely there will be problems.  An experienced firm won’t have the learning curve of an inexpert firm that oftentimes adds cost to the engagement and results in poor reports to the OIG.  For an organization that is already in hot water with the DOJ and OIG, this kind of complicating matter is not wanted.

Carrie Kusserow has over 15 years’ compliance officer and consultant experience, and was brought in to be the compliance officer to an organization under a CIA while Laura Ellis was the monitor. Kusserow echoes Ellis’ advice to organizations to take steps to “get the most out of the money” expended on these resources. The more expert they are in the health care sector, the better.  The more experience the individuals assigned to do the work have, particularly experience with the OIG, the better.   The one thing to avoid is hiring an IRO and then paying it to learn about the type of work being done by the organization or how to interact with the OIG. Having top-notch experts can impart considerable added value from prior experience of doing this kind of work. She also pointed out that once these outside experts are engaged, there is another lag period before they begin their work and again when they present reports on the results of their work.  It is a huge mistake to allow these gap periods to elapse without doing serious preparation work.  It is important to begin planning at the earliest date for what is needed to meet CIA terms and conditions, which will assist in this effort, and development of a project plan for execution.   The planning process and timelines for meeting CIA requirements will have to take into account when reports by the IRO, and possibly the compliance expert, are due to the OIG.

Steve Forman, CPA, has over 35 years’ experience, having served as both as a compliance officer and as an IRO many times, and as a compliance expert four times under a CIA. He advises compliance officers that one step that cannot be undertaken too soon is getting the Executive/Management Compliance Committee and Board Compliance Committee involved. They need to understand fully in practical and operational terms their personal obligations, along with what is needed from them to meet CIA obligations.   He also strongly recommends at the first indication that a CIA may be in the future to begin reviewing posted agreements on the OIG website, especially those that involve similar types of organizations.   One point of caution is that the OIG has been changing CIAs significantly as to new requirements, conditions, and certifications by board members and executives. Information derived from these reviews should be translated into a plan of action to ensure the organization is in tune with what the OIG will expect.  He strongly suggests that compliance officers consider engage compliance experts to do two things:

  1. Have the compliance program conduct an independent evaluation and act on findings and recommendations. Having such a report with evidence of correcting any deficiencies can be invaluable evidence to the OIG in making a determination as to whether a CIA is necessary and, if so, mitigating terms and conditions. It will be looking for this evidence.
  2. Once a CIA is executed, immediately engage experts to conduct a mock audit to test the terms and conditions that must be met under the CIA and to have them addressed before the IRO or compliance expert under the CIA begins work.

Taking these two steps can avoid a lot of problems, expenditures and complications under a CIA. The OIG takes evidence of independent experts serious. That is why they rely upon them as IROs, Compliance Experts, and Quality Monitors.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Codes of conduct part 1—Meeting the challenge of developing and revising codes

Without question, one of the basic foundations of any effective compliance program is the code of conduct. All compliance guidance from the U.S. Sentencing Commission to the HHS Office of Inspector General (OIG) has called for having such a foundation document for any effective compliance program.  Many codes are far out of date and fail to provide the needed guidance for employees on their obligations toward compliance.  A round table of compliance experts, experienced in developing and revising codes, offered the following observations and ideas on the subject.

Tom Herrmann, J.D., was a leader in the OIG General Counsel’s office when the first guidance was published and has since assisted many organizations in drafting and/or revising codes of conduct. He observed that the initiation of OIG compliance program guidance provided the major stimulant for having codes of conduct.  Others have added weight to code development, including the Sentencing Commission, Department of Justice (DOJ), and The Joint Commission (TJC).  In the early days of responding to such guidance, it was common for law firms and others to provide template codes that were imbedded in what organizations referred to as their ‘Compliance Plan.’ However, plans are statements of intent and converting them into fully functioning and effective programs has taken years for some organizations.  Unfortunately, many are still ‘stuck in first gear’ and have not converted their plans into effective programs.  This includes bringing their codes up to date by reviewing, revising, and updating them, along with related compliance policies.

Steve Forman, CPA, has decades of experience as a compliance officer, internal auditor, and compliance consultant. He reminds people that compliance programs and all that falls under them should be subject of ongoing monitoring, as called for in compliance guidance.  Codes should be part of that process to ensure it remains timely and consistent with policy development and changes in regulatory environment. A review of the code should be done annually to ensure it is up to date. As compliance-related laws are passed or revised, or internal policies are developed or revisited, a company must adapt and respond quickly to the changing legal and regulatory environment. This includes updating the code. The code review process can be a major undertaking and should be approached with careful planning and involvement of the right people.

Carrie Kusserow has been developing codes of conduct for fifteen years and believes they should be an elaboration on the organization’s mission or vision and identify specific values that help accomplish the mission. To be truly effective, the code needs to reflect the spirit, tone, and culture of the organization. This means having the Board and executive leadership supporting and approving the document. If it doesn’t ring true to staff, securing their participation and cooperation in the compliance program will be much more difficult.  Furthermore, the context for the review of a code should be whether there have been problems with covered persons understanding the content. For many organizations, the code may have been written at a level beyond many employees’ understanding.  Kusserow strongly recommends that the code be written at no higher than the tenth grade reading level.

Camella Boateng, another expert who has both been a compliance officer and a consultant, makes the point that the OIG has repeatedly stated that when it comes to compliance programs, including the code and policies, there is no “one size fits all.” Though this is the case, there are certain best practices, such as beginning the code with an introductory statement and strong endorsement from the CEO.  This should make it very clear that everyone in the organization is expected to act in an ethical manner and abide by all applicable laws and regulations affecting the organization. It should also state that it is everyone’s duty to report suspected wrongdoing, and they can do so without fear of retaliation.  The body of the code should address all the stakeholders in the organization, including the patients being served, employees, management, and regulatory agencies.

Suzanne Castaldo, J.D., worked with many clients in revising and updating their codes and found that too many codes have been written more like legal briefs than user-friendly advice. Some of the least useful codes she has reviewed included legalese with formal footnotes.  That is not user friendly. Rather, the code should be presented in the form of general guidelines to assist employees in understanding appropriate conduct and ways to deal with improper behavior.   The OIG compliance guidance documents call for including in codes the operation of the compliance program, along with explanations of applicable laws, such as the Anti-Kickback Statute, Stark Laws, and fraud statutes.

Jillian Bower, an expert on code and policy development, suggests that reviewing a variety of codes of organizations in the same sector provides a good benchmark for comparison and may provide ideas and insights that could be incorporated into revisions. She has found that one of the biggest problems in the way codes are presented to employees occurs when they are written like journal articles in lengthy paragraphs, making them too long and complicated in presentation.  She believes it is important to divide the code into topical subjects headed by an introductory statement of principles, followed by short bullet points that set standards for meeting them.

Al Bassett, J.D., has more than 30 years’ experience with compliance guidance. He believes the most effective means to develop or revise a code that will have wide acceptance and buy-in by everyone is to use a broad-based committee, under the leadership of the compliance officer, that provides input from a variety of perspectives.  Critical to such an effort is having human resources management and legal counsel be part of the effort.   However, he has found that sometimes an effort by a committee gets bogged down for a variety of reasons, including determining the form and format for the code, subject matter to be included, amount of detail needed, timing problems, etc.  Failure to keep the process moving on track is important.  As such, it is best to establish a plan at the beginning of the effort that has firm deadlines for each stage of the process.  If management of this process is considered a problem, outside experts could be considered to facilitate matters.  They can be useful for three reasons:  (1) as outsiders they can sidestep ‘turf’ issues; (2) they have done it many times before and know how to focus the process; and (3) they have the credibility from doing this before.

All were invited to provide specific tips and suggestions for effective development and/or revision of codes of conduct that will be summarized in a March 9, 2017, blog posting.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips on information security from the FTC

The health care sector is so focused on Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security related issues under the watchful eyes of CMS and the Office of Civil Rights (OCR) that it often forgotten that there are a host of other laws and regulations related to data security. The Federal Trade Commission (FTC) released “Start with Security: A Guide for Business,” a report concerning data security that has application to all business sectors, including health care. The FTC noted that the report draws upon “lessons learned from more than 50 law enforcement actions.” The guide provides a treasure trove of tips and best practices for protecting sensitive information and associated risks.

The FTC begins with the recognition that sensitive information and data, including personnel information, customers/patients records and credit information, pervades every part of business and every part of any business is impacted by sensitive information. In turn, it is a challenge for businesses to manage confidential information. Betta Sherman, a health care consultant specializing in HIPAA Privacy and Security issues, notes “although this report applies to all business sectors, it is particularly relevant to the health care sector, which has the responsibility to safeguard protected health information (PHI).”

The report states that the starting point is establishing security policy and procedures. It is also important to think through about the kind of information you collect, how long you keep it, and who can access it. If so, risk of a data compromise down the road can be reduced. Dr. Cornelia Dorfschmid, a recognized compliance expert states that “security postures and threats change all the time. For health care organizations it is critical to test their own information security knowledge as well as current security architecture by occasionally engaging independent experts to conduct security risk assessments. Formal security assessments are expected under the HIPAA Security Rule and also required for compliance with meaningful use criteria. Not conducting such risk assessments regularly is foolish.”

Tips and best practices highlighted by the FTC

  • Avoid data security risks by only collecting needed sensitive information.
  • Hold on to information only as long as there is a legitimate business need for it.
  • Periodically review data and decide what needs to be kept and what is no longer necessary.
  • The longer the information is kept, the greater the risk that it may be misused or leaked.
  • Restrict access to sensitive data to only those that have a “need to know.”
  • Limit those with system-wide administrative access to data.
  • Establish strong authentication procedures, including passwords.
  • Require complex and unique passwords.
  • Store passwords securely to prevent unauthorized persons from obtaining access.
  • Guard against hackers by limiting the number of unsuccessful login attempts.
  • Periodically test for common vulnerabilities and security flaws.
  • Use strong cryptography to secure maintenance and transmission of sensitive data.
  • Keep sensitive information secure throughout its lifecycle.
  • Once information is transmitted and decrypted, it still must be protected.
  • Use industry-tested and accepted methods to safeguard and encrypt information.
  • Encryption must be configured and controlled properly to protect sensitive information.
  • Set up and monitor firewalls to limit access between computers on the network and the Internet.
  • Establish intrusion detection and prevention systems (IDS/IPS) for unwanted activity.
  • Install require antivirus and antispyware programs for remote users using the network.
  • Place limits on third-party access to the network.
  • Ensure design changes and changes in management decisions do not permit vulnerabilities.
  • Use readily available secure communications tools pre-installed on mobile devices.
  • If software offers a privacy or security feature, verify that it works as advertised.
  • Test for vulnerabilities in systems as many commonly-known, reasonably foreseeable ways as possible.
  • Take care to select service providers able to implement appropriate security measures.
  • Require service providers to adopt reasonable security precautions.
  •  Verify that the information collection program is consistent with privacy and security policies.
  • When using third-party software, apply security updates as they are issued.
  • Update and patch third-party software regularly to minimize security risks.
  • Have an effective process in place to receive and address security vulnerability reports.
  • Monitor usage and encryption of hard drives, laptops, flash drives, and disks.
  • Implement policies for secure document and data storage and retrieval.
  • Dispose of documents in a secure manner.
  • Protect devices that process personal information.
  • Secure sensitive information when it is outside the office.
  • Acknowledge that lost or stolen laptops, external drives, and mobile devices are a major cause of lost data.
  • Ensure files, drives, disks, etc. sent via ground mail or services are tracked and delivered.
  • Limit instances when employees need to carry sensitive data.
  • When traveling, confidential information should be kept out of sight.
  • Devices with confidential information should be under lock and key when out of sight.
  • No longer needed paperwork should be shredded, burned, or pulverized to be unreadable.
  • Old hard drives and media with sensitive information should be professionally wiped clean.
  • Have periodic independent risk assessments to keep data, reputation, and business information safe.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.