Kusserow on Compliance: Conducting compliance risk assessments

The issue of conducting compliance risk assessments continues to be a challenge for Compliance Officers. In the SAI Global’s ninth annual Compliance Benchmark Survey conducted with Strategic Management Services, nearly four out of ten responding organizations reported that the Compliance Office had responsibility for all risk management, not just for the compliance program.  As with all program managers, Compliance Officers have responsibility for risk management in the areas of their areas of responsibilities. This includes conducting risk assessments as part of ongoing monitoring.  However, there remains a lot of confusion among compliance officers and organizations regarding the whole subject. However, regardless of who assumes the responsibility for assessing risk areas, the subject should begin with how regulatory bodies define risk assessment.

Defining risk assessment 

Federal Regulations. (e) Annual review. The operating organization for each facility must review its compliance and ethics program annually and revise its program as needed to reflect changes in all applicable laws or regulations and within the operating organization and its facilities to improve its performance in deterring, reducing, and detecting violations under the Act and in promoting quality of care  (see 42 C.F.R. 483.85).

US Sentencing Commission Guidelines Manual. 2(a)(5) The organization shall take reasonable steps—(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program (§8B2.1 Nov. 2016).

OIG Compliance Guidance Documents.  The OIG has in a variety of compliance guidance documents called for compliance risk assessments. For example, in their Compliance Guidance for Nursing Faculties they “recommend that all nursing facilities evaluate their current compliance policies and procedures by conducting a baseline assessment of risk areas, as well as subsequent reevaluations. . .” How a nursing facility assesses its compliance program performance is therefore integral to its success. The attributes of each individual element of a compliance program must be evaluated in order to assess the program’s ‘‘effectiveness’’ as a whole. Examining the comprehensiveness of policies and procedures implemented to satisfy these elements is merely the first step. Evaluating how a compliance program performs during the provider’s day-to-day operations becomes the critical indicator.

When conducting a risk assessment it is necessary to determine the objectives. The following relates to ideas and tips concerning compliance program risk assessment.

Compliance program risk assessment objectives

  • Verify all the elements of the compliance program have been implemented
  • Determine whether all the elements are functioning as planned
  • Evaluate the documentation evidencing effectiveness of the program
  • Identify compliance program strengths, as well as areas warranting improvement
  • Develop a work plan to measure program improvements and address any weaknesses

Questions to ask about compliance risk areas

  • Were levels of risk and vulnerabilities assigned?
  • Is there an annual work plan to address identified high-risk areas?
  • Are their internal controls and policies addressing high-risk areas?
  • Are policies periodically reviewed and updated?
  • Do policies address applicable regulations, recent OIG Work Plans, etc?
  • Were compliance-related policies distributed to all covered persons?
  • Is there a Code of Conduct that provides compliance guidelines for employees?
  • Do employees signed receipt evidencing receipt of Code of Conduct?
  • What evidence is there that employees were trained on the Code and policies?
  • What evidence exist that employees understood and remembered lessons?

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Nine tips for compliance officers—addressing high-risk areas

Carrie Kusserow is an expert on conducting compliance risk assessments and has been called upon by compliance officers to meet their challenge of addressing the numerous compliance high-risk areas. She notes that there are more than 40 high-risk areas identified by the OIG in its Compliance Guidance for hospitals. Guidance for other health care sectors has a similar set of compliance high-risk areas and the number of identified compliance risk areas continues to grow every year. To meet this challenge, compliance officers must stress to program managers their ongoing monitoring responsibility to identify and manage compliance risks within their areas of operations. This includes keeping informed of current rules and regulations; ensuring changes are incorporated into policies and procedures; training staff on following that written guidance; and verifying staff adherence to new policies. Ongoing auditing of operational high-risk areas has two primary objectives, including verifying that managers meet their obligations, and validating that the process achieves the desired outcomes. Audits need to be conducted by parties independent of the operational areas being audited, and may include compliance office staff, internal audit, outsider consultants and auditors, or any combination thereof. She offered the following tips for consideration by compliance officers:

 

  1. Work with management to identify operational high-risk compliance areas as set forth in the OIG Work Plans, Fraud Alerts, Advisory Opinions, audits, and enforcement priorities and in Medicare contractor activities, industry news, PERM reports, and PEPPER data.

 

  1. Implement specialized training programs for program managers on what they need to do to meet their ongoing monitoring of high-risk areas in their operational area.

 

  1. Ensure that program managers have identified and listed all compliance high-risks areas related to their operational areas; have developed/implemented monitoring plans for identified risk areas as part of meeting their ongoing monitoring responsibilities. This includes testing and reviewing adequacy of the internal controls (e.g. policies/procedures) to reduce likelihood of that an unwanted event will occur in high risk areas.

 

  1. Rank high-risk areas in terms of vulnerability and impact or damage from a risk incident, including calculating the potential damage from a compliance risk failure, including the magnitude of direct and indirect financial and reputational consequences; and the likelihood of a compliance risk event by considering whether the area is a current enforcement priority based on risk assessment results.

 

  1. Develop and implement an audit plan based on risk assessment results, giving highest priority to the highest risk areas. The audits should test and continuously review current internal controls for adequacy in mitigating risk and reducing the chance of an unwanted risk event.

 

  1. Ensure corrective action plans have been instituted for all risk area deficiencies identified by ongoing monitoring or auditing.

 

  1. Have a follow-up review of any areas where there had been findings requiring remedial action to ensure corrective measures have been taken and are working as intended.

 

  1. Consider engaging compliance experts to independently evaluate the effectiveness of a compliance program.

 

  1. Present results of risk assessment, monitoring and auditing as regular agenda items for management and board level compliance committees.

 

For more information on compliance high-risk assessment, contact Carrie Kusserow, Strategic Management Managing Senior Consultant (703-535-1453) or at ckusserow@strategicm.com

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Exit interviews as a compliance communication channel

Tom Herrmann, JD, had served in a senior capacity with the Office of Counsel to the Inspector General (OIG) at HHS. He pointed out that the OIG, in its compliance guidance, calls for the development of effective lines of communication with employees as very important to the successful implementation of a compliance program and the reduction of any potential for fraud, abuse and waste. This include implementation and use of hotlines (including anonymous hotlines), e-mails, written memoranda, newsletters, and other forms of information exchange to maintain these open lines of communication. One significant channel of communication is the use of exit interviews to debrief departing employees prior to their departure. A major factor influencing the advancement of exit interviews in connection with compliance programs has been the rise in the number of “whistleblowers.” Most of these come from people reporting on an organization they had recently left.  As such, there is great value in debriefing those departing the job that includes asking question about any observed violations of law, regulation, Code of Conduct, or policies. Optimally, an exit interview process should be done in time to permit possible remedial actions before they leave employment.  He has found that exit interviews can also be useful in avoiding other costly litigation involving unlawful harassment, discrimination, safety violations, etc.  It is very important to keep a record of the interviews conducted and responses.

Carrie Kusserow has been developing, enhancing and monitoring exit interview programs for over 15 years. She noted that many organizations conduct employee exit interviews (also called exit surveys) to gather data for improving working conditions and retaining employees. This has been common in human resource management for generations and this type of communication can be useful in taking actions to correct deficiencies, reduce turnover, identify potential compliance-related problems, and maintain a productive work environment. However, exit interviews may also be used to alert an organization to company compliance issues, potential whistle-blowers, or quality of care issues. At a minimum, an exit interview should include compliance program oriented questions that relate to compliance education, policies, anonymous reporting procedures, and attitudes towards the compliance program. The following are examples:

  1. How effective was your training on the compliance program, Code of Conduct and policies?
  2. Were you trained on how to report concern and problems confidentially or anonymously?
  3. Did you believe that those reporting compliance issues would be protected from retaliation?
  4. Are you aware of any ethical or compliance issues; and if so did you report them?
  5. How could the company strengthen its message regarding ethics and compliance?
  6. Is everyone in the work force treated fairly?
  7. Do you believe management fully supports the compliance program?
  8. Are you leaving due to any compliance concerns about your job or work environment?
  9. Are you aware of any improper or illegal conduct in the workplace? If so, who and what?
  10. Have you reported compliance issues or concerns that are unaddressed? If so, explain.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: July/August 2018 Work Plan updates

The Office of Inspector General’s (OIG) work planning process is dynamic and adjustments are made throughout the year to meet priorities and to anticipate and respond to emerging issues with the resources available. Effective June, 2017, the OIG has been updating its Work Plan monthly. The following are the updates posted for July and August 2018:

  1. 3-Dimensional Conformal Radiation Therapy (3D-CRT). 3D-CRT is a radiation therapy technique that allows doctors to sculpt radiation beams to the shape of a patient’s tumor provided in two treatment phases: planning and delivery. Hospitals bill Medicare for developing a 3D-CRT treatment plan using Current Procedural Terminology code 77295. Automated prepayment edits prevent additional payments for separately billed radiation planning services if they are billed on the same date of service as the 3D-CRT treatment plan. However, Medicare allows additional payments if they are billed on a different date of service (e.g., 1 day before). For a form of radiation similar to 3D-CRT, Medicare requirements prohibit payments for separately billed radiation planning services when they are billed on a different date of service. OIG auditors will determine the extent of potential savings to Medicare if it had implemented the same requirements for 3D-CRT planning services.

 

  1. Identification of HHS Cybersecurity Vulnerabilities. The OIG will perform a series of IT audits at the HHS Operating Divisions in an effort to identify cybersecurity vulnerabilities and possible compromise of the HHS Office of the Secretary and its OPDIVs’ systems and networks.

 

  1. HRSA’s Oversight of Funds for Access Increases in Mental Health and Substance Abuse Services (AIMS). The Health Resources and Services Administration (HRSA) administers AIMS grants and last year HRSA awarded $200 million in AIMS grants to 1,178 health centers nation-wide intended to expand access for existing Health Center Program grant recipients to mental health and substance abuse services, focusing on the treatment, prevention, and awareness of opioid abuse. The OIG will review HRSA’s internal controls to determine whether they are suitable for (1) awarding AIMS grants and (2) monitoring AIMS grant recipients.

 

  1. Increased Payments For Transfer Claims With Outliers. While the transfer rule reduces the Diagnosis Related Group (DRG), Disproportionate Share Hospital (DSH), and Indirect Medical Education (IME) payments on a Medicare beneficiary’s claim, the methodology for calculating cost outlier payments can result in such payments being higher than what would have been paid in a nontransfer context. Under the transfer rule, CMS reduces the DRG payment by applying a graduated per diem payment on the Medicare claim of the hospital transferring the patient to another setting early in the patient’s hospital stay. Because DSH and IME payments are determined as a percentage of the reduced DRG payment, they are also reduced. By contrast, by reducing the threshold above which a claim qualifies as an outlier, the application of the outlier methodology at 42 CFR Sec. 412.80(b) can result in an increase in the outlier payment in transfer cases. The plans to produce a report describing the extent to which additional Medicare outlier payments negate the reduction in DRG, DSH, and IME payments of transfer claims.

 

  1. Review of Post-Operative Services Provided in the Global Surgery Period. Section 523 of Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) requires CMS to collect data on post-operative services included in global surgeries and requires OIG to audit and verify a sample of the data collected. The OIG will review a sample of global surgeries to determine the number of post-operative services documented in the medical records and compare it to the number of post-operative services reported in the data collected by CMS. The OIG plans to verify the accuracy of the number of post-operative visits reported to CMS by physicians and determine whether global surgery fees reflected the actual number of post-operative services that physicians provided to beneficiaries during the global surgery period

 

  1. SAMHSA’s Oversight of Accreditation Bodies for Opioid Treatment Programs. The Substance Abuse and Mental Health Services Administration (SAMHSA) estimates that 2.5 million people have an opioid use disorder related to prescription pain relievers and/or heroin. Medication-Assisted Treatment (MAT), provided by opioid treatment programs (OTPs), is a significant component of the treatment protocols for opioid use disorder and plays a large role in combating the opioid epidemic in the United States. SAMHSA issued final regulations to establish an oversight system for the treatment of substance use disorders with MAT. These regulations (42 CFR Part 8) established procedures for an entity to become an approved accreditation body, which evaluates OTPs and ensures SAMHSA’s opioid dependency treatment standards are met. The OIG plans to determine whether SAMHSA’s oversight of accreditation bodies complied with Federal requirements; and will include SAMHSA-approved accrediting bodies that have accredited OTPs

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.