Kusserow on Compliance: Time for Compliance Program evaluation

  1. Have a 2021 workplan focusing on improving the Compliance Program
  2. Not having independent evaluations is evidence of lack of program effectiveness
  3. DOJ & OIG: Identifying & addressing weaknesses evidences program effectiveness

With 2020 coming to an end, it is time to look forward to the New Year and plan ways to identify areas for improvement of the Compliance Program, building off of results of independent evaluations. Both the OIG and DOJ stress the importance of evidencing Compliance Program (“CP”) effectiveness and that all programs are in progress, never completed. They see compliance officers identifying weakness and gaps that lead to improvements as positive evidence of an effective program. The DOJ “Evaluation of Corporate Compliance Programs” notes that there will always be ways the program can be improved and enhanced. The DOJ, in its 2020 Compliance Program Evaluation Guidelines noted: “One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment.”  The DOJ highlights the importance of effective implementation and evaluation measures” to determine whether the compliance program a “paper program” or one that is fully “implemented, reviewed, and revised, as appropriate, in an effective manner.” DOJ prosecutors are directed to ask: Does the company evaluate periodically the effectiveness of the organization’s compliance program?” Regular, rigorous, and consistent review of compliance programs is now the expectation.  The OIG calls for ongoing monitoring and independent ongoing auditing of Compliance Programs to evidence continuous improvement.

There are three general ways for independent evaluations: (1) a complete compliance program evaluation; (2) a compliance program gap analysis; or (3) an independently developed and administered employee survey of compliance knowledge, attitude and perceptions.

  1. Compliance Program effectiveness evaluations is recognized by experts as by far the best method to evidence how well the program is functioning. It measures outcome by conducting a 360-degree evaluation that includes: (a) full document examination and review; (b) on site review and testing of operations in action; and (c) interviews of Board members, executives, selective key staff, and focus group meetings. If done properly, the resulting reports with be 60 to 100 pages that include findings, observations, along with recommendations and suggestions for program improvement.
  2. Compliance program gap analysis is about half of the cost or less than a full compliance program evaluation, but the reduction of costs is matched by the diminished value of results. It is primarily a document “checklist” review, focusing on output metrics, rather than outcome metrics related to program effectiveness. It is best used with organizations with new or incomplete programs, desiring assistance in identifying elements needed to complete development of their program.  It can identify gaps for inexperienced compliance officers but lacks details by which this can be accomplished.
  3. Independently developed, validated, and administered compliance surveys of employees is the least expensive means, at a fraction of the cost for either of the two other methods, for evidencing and benchmarking compliance program effectiveness. The use of surveys has long been advocated by regulatory bodies, including in the Federal Sentencing Guidelines, OIG Compliance Program Guidance and DOJ guidelines. These organizations advise using surveys of employees to gauge how well the program is functioning. Surveys that are anchored in a large database of organization, permit benchmarking an organization to the universe. Compliance knowledge surveys test knowledge of the compliance program structure and operations and can provide very credible empirical evidence of the advancement of program knowledge, understanding and effectiveness. Compliance culture surveys focuses on employee beliefs, attitudes, and perception concerning compliance, useful in measuring the extent to which individuals, coworkers, supervisors, and leaders demonstrate commitment to compliance. Both types of surveys should be considered as they are useful in benchmarking and measuring change in the compliance environment over a period and provide different dimensions and perspectives on a compliance program.

For more information on the difference in scope of work between a full compliance program evaluation and a gap analysis, send your queries to Richard Kusserow at rkussserow@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ compliance program guidelines once again focus on sufficiency of compliance resources

The 2020 Department of Justice (DOJ) Compliance Program Guidance for prosecutors places increased emphasis on questioning the adequacy of compliance resources that the DOJ views as essential for any program’s effective functioning. The DOJ elaborated that prosecutors should ask questions concerning whether the program is “adequately resourced and empowered to function effectively.” Put differently, even the most artfully constructed program is doomed to fail without sufficient funding, qualified compliance personnel, and widespread support throughout all levels of an organization. A question for many health care organizations is whether the organization would pass DOJ scrutiny on this point.

Results from the 2020 SAI Global Healthcare Compliance Benchmark Survey developed with and analyzed by Strategic Management included information regarding the adequacy of resources for Compliance Officers in meeting their challenges. Reading the details of the responses in the Survey suggest that many compliance offices are likely operating with less than fully adequate resources to meet DOJ expectations. The Survey results indicated that the average compliance office staff levels are five individuals with about one third of respondents reporting only one full-or part-time person. In a related question, over half of respondents indicated they are expecting their budget to remain mostly the same with about one quarter expecting some increase, while at the same time assuming new responsibilities, most notably those related to HIPAA Privacy and Security. Given the average staffing level of compliance offices, increasing responsibilities, heightened enforcement by government agencies, and limited increases in budgetary resources, it is likely that most compliance offices are stretching their limited resources and would have difficulty meeting the DOJ standards. The Survey also found that many are turning to external vendors to provide services and tools, to stretch limited staff resources and to lower operating costs.

 

For more information on this subject, contact Richard Kusserow at rkusserow@strategicm.com

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Compliance investigation witness interview questions

20 key questions to be answered

The biggest challenge to conducting successful compliance investigations is knowing how to conduct successful witness interviews. Many find a list of predetermined questions to ask witnesses in a compliance investigation useful. However, care needs to be taken that this approach limits the information the investigator will get from the interview. This is because it constrains the conversation within a rigid framework. Begin with simple questions about an individual’s position, how long they have worked for the organization, identify their supervisor, etc. This will allow the individual to relax a little bit before going into substantive questioning. Keeping the interview as a fluid conversation will likely result in more productive results. It is always preferable to use open-ended questions to let a witness tell their story in their own way, such as “Tell in your own words about….” The following 20 questions can be used as a guide to frame your interviews and can be used as a reminder at the end of the interview to ensure all the key points have been addressed:

  1. What happened?
  2. Where did it happen?
  3. When did it happen?
  4. Who did it?
  5. Has it happened before?
  6. How often?
  7. Who else was present?
  8. Do you know of others who may have been affected by the incident or behavior?
  9. Who else may have seen or heard the incident or behavior?
  10. How did you react?
  11. How did any others present react?
  12. Did you ever indicate that you were upset or offended by the incident or behavior?
  13. Have you discussed the incident or behavior with anyone?
  14. Has anyone else reported this?
  15. How has the incident or behavior affected you?
  16. How has the incident or behavior affected your job?
  17. Have you sought medical treatment or counseling because of the incident?
  18. Do you have any evidence or documentation about the incident or behavior?
  19. Is there anyone else who may have relevant information?
  20. Is there any other relevant information that I haven’t asked you about?

For more information on conducting compliance investigation interviews or securing investigator training, contact Richard Kusserow at  Rkusserow@strategicm.com .

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Inova Health System another victim of ransomware attack

Inova Health System is the latest of a dozen health systems affected by a ransomware attack at a third-party software vendor. The Virginia-based health system issued a notice on September 9, 2002 notifying up to 1,045,270 patients and donors, according to a notification Inova submitted to the HHS Office for Civil Rights (OCR). The incident is traced back to Blackbaud Inc., a third-party service vendor used for fundraising and alumni or donor engagement efforts at non-profits and universities. Inova’s notice stated that it was notified by Blackbaud of a ransomware attack which it had discovered and stopped in May 2020.

The attack involved intermittently removing data from the Blackbaud system, which included certain information maintained for Inova. Investigation by Inova found that the personal information affected by the attack may have contained certain personal information of some patients and donors, including: full names, addresses, dates of birth, phone numbers, provider names, dates of service, hospital departments, and/or philanthropic giving history such as donation dates and amounts. The notice also stated there is no evidence that the data will be misused, disseminated or made publicly available and Inova was assured that all compromised data was destroyed and the vulnerability that allowed the incident was closed. The incident did not expose Social Security numbers, financial account information, payment card information, or electronic health records. Blackbaud reportedly prevented the cybercriminals from blocking its system access and fully encrypting its files, however the criminals were able to remove a copy of a subset of data. Blackbaud also reported paying a ransom so that the attackers would destroy their backup file of stolen information.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.