Kusserow on Compliance: Effective hotline programs

All healthcare organizations need confidential compliance communication channels. First and foremost among them is a hotline. By definition, all effective compliance programs should have a hotline. It is an important avenue of communication between employees and management, in that it permits employees to report sensitive matters outside the normal supervisory channels.  The reality is that developing and monitoring a hotline is a critical part of any effective compliance program. It provides an avenue of communication that permits employees to report sensitive matters outside the normal supervisory channels. The compliance officer bears the responsibility of constantly reviewing and improving the effectiveness of the hotline operation.  The US Sentencing Commission, the HHS Office of Inspector General (OIG), and Department of Justice (DOJ) all call for having a hotline, as well as other authorities, including the Sarbanes-Oxley Act for publicly traded companies and the federal courts in connection with unlawful harassment. Failure to establish positive internal compliance reporting channels often results in reporting externally to the OIG and DOJ from “whistleblowers.” The challenge is establishing effective internal compliance communication. Today, it is the exception to find organizations trying to manage a hotline function internally. The fact is that any advantage of internally operated hotlines is more than off-set by the disadvantages.

From a practical standpoint, it simply is not cost effective to operate a hotline 24/7 internally.  Even those that decide to operate and manage the function in house are confronted with a number of challenges—it is extremely inefficient, costly and seldom meets any minimum standards. Hotline numbers will need to be “backstopped” against tracing and all caller identification systems have to be blocked. People answering the calls in house should not be highly visible to the work force. Confidence comes from neither party being known to the other. Hotline vendors have the training and experience to handle complainants. Callers are generally nervous and afraid and knowing they are providing information to an outside party generally is reassuring. They always raise the question of whether anonymity is truly offered and whether employees will ever sufficiently trust calling an employee. It has become the standard practice for organizations to outsource their hotline to a vendor.  However, evaluating those providing the best service at the right price is a challenge. The following are questions that can be used to determine a properly qualified vendor. Those failing key tests should be avoided as they may prove to be a future liability.

 

Questions for hotline vendors

  1. Cost of Service. Does the vendor charge an established fixed rate or sliding rate based upon number of calls? Seek a fixed, not a variable rate, based upon number or time of calls. A good rule of thumb is that the cost of a hotline service should not exceed $1-3 per employee per year.

 

  1. Industry Focus. Can the vendor evidence having understanding and expertise of issues related to the health care industry? Failing to understand healthcare standards and regulatory matters limits the ability to properly debrief callers. Ask for a breakdown of the types of clients they serve by industries.

 

  1. Hours of Service. Does the vendor provide 24/7 service? If not, don’t use them.

 

  1. Call Centers. Does the vendor provide call services? If so, avoid them completely. Call centers provide outbound calls used to promote services and products. Others answer after hour services for businesses (doctors, plumbers, electricians, etc.) and relate messages to their clients. The people doing this are performing a clerical function and answering hotline calls requires more professional expertise. Furthermore, there is the risk of having calls interrupted by a call for some needing emergency service.

 

  1. Hotline Service Types. Does the vendor provide multiple levels of service for (a) receiving live operator calls and (b) a web-based reporting system that prompts individual complainants? One level alone is not enough.

 

  1. Avoiding Vendor Contract Traps. Does the contract permit cancellation at any time with a simple 30 day notice? If not, don’t use them. Staying with a vendor should be because of good service, not because of being locked into them by contract terms. If you have a current contract, check the termination clauses to see if cancelling a contract is cumbersome. If it is, ask to renegotiate the termination clause. If they decline, then take steps to follow termination procedures in the contract.

 

  1. Hotline Number. Does the vendor want to use their phone number? This is a common vendor trap to lock in users to their service. You advertise their number everywhere and to change would necessitate changing all the places you have advertise the number. Always use and own your own hotline number that can be pointed to a vendor.

 

  1. Language Translation. Does the vendor provide a language translation service to address non-English speakers?

 

  1. Check Vendor Background. What is the level of hotline experience among the ownership, management, and operation of the service?

 

  1. Length of Hotline Experience. How many years of experience can the vendor evidence in the management of hotline operations?

 

  1. Policies, Procedures, and Protocols. Does the vendor provide advice on developing operating protocols for following up an allegations and complaints received through the hotline?

 

  1. Business Associate Agreement (BAA). Does the vendor offer to sign a BAA to meet HIPAA protected health information (PHI) requirements for any patient related information received through the hotline? If they don’t know what that means, forget them.

 

  1. Timelines. Will the vendor agree to provide a full written report within one business day of receipt of the call and for urgent matters, immediate notification?

 

  1. Report Delivery Security. Does the vendor deliver call reports by the most secure means? It is critical to establish a secure call report submission process to a specific responsible party and to an alternate should the primary contact be unavailable? Any delivery of reports via fax or email lack necessary security. It is critical that reports are secured to protect those filing the report, as well as those who are subject of the report or mentioned in them. HIPAA PHI, proprietary and confidential data, and personnel information must be protected. Web-based reporting is the most secure with notification of a report being provided via email.

 

  1. Routine vs. Urgent Reporting. Does the vendor assist in establishing a process that alerts the primary contact to any urgent report received? A delay in reporting a serious issue could result in potential liabilities.

 

  1. Insurance. Does the vendor provide at least one to three million dollars liability coverage? If your vendor does not have this insurance, consider changing over to one that provides this assurance.

 

  1. Caller Contact Information. Does the vendor have procedures for providing callers with a means to call back without disclosing their identity?

 

  1. Personalized Service. Does the vendor provide the identity or identities of individuals available to respond to any issues or question that may arise, whether it relates to call reports, invoice issues, or providing general advice? Not having easy access to someone or having to go through a phone system moving you from one office to another before you find a stranger who may or may not be able to answer your questions can be frustrating. If possible, seek an identified accounts manager who will be responsible for any and all issues that arise under the contract.

 

  1. Training and Assistance. Does the vendor provide guidance on the best way to promote understanding of the hotline?

 

  1. Other Useful Benefits. Are there any other services or benefit provided under the contract? This would include such things as supporting policy and procedures for hotline management, poster templates, newsletters, etc. For smaller organizations, these benefits may exceed even the service fees paid to the vendor. Find out what they offer.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Compliance officers’ checklist—25 suggestions

Health care organizations are facing increasing risk of exposure to actions by government regulators or enforcement authorities. Government authorities are conducting aggressive investigations and taking actions to hold entities and responsible corporate executives more accountable. It is well understood that having an effective compliance program is a necessity to prevent and detect misconduct that could give rise to liabilities. Despite the abundance of guidance pertaining to corporate compliance, achieving a program that is effective in reducing the likelihood of unwanted events or actions that could give rise to liabilities remains a continuing challenge. The following are suggestions that Compliance Officers may wish to consider during the course of the year.

Ensure That…

  1. A charter for the Compliance Officer function provides proper empowerment and authority.
  2. Minutes of Board and executive oversight committee evidence proper support and oversight.
  3. A clear and consistent message is communicated to everyone that compliance applies to all, regardless of position.
  4. Program managers are engaged in ongoing monitoring over their areas, including risk identification, policies addressing those risks, training of their staff on them, and verifying they are adhering to them.
  5. The code of conduct (code) is written as the “Constitution” for the compliance program, setting forth commitments to the patients being served, staff performing the services, safety of the work environment, and adherence to applicable laws, regulations, and standards.
  6. The code is understandable by all employees; written at no higher than 10th grade level.
  7. Policies and procedures reflect in detail what must be followed to adhere to the code.
  8. Compliance program-related policies/procedures are up to date.
  9. A document management system that tracks changes, revisions, and recessions in policies.
  10. Adequate written guidance are in place for all risk-related aspects of the organization’s
  11. There is evidence that managers/executives are held responsible for supporting compliance.
  12. Adequate resources and support for the compliance program is evidenced in the record.
  13. Periodic independent assessments are made to evidence compliance program effectiveness.
  14. All deficiencies found in reviews are remediated quickly and documented.
  15. A test of the hotline to ensure calls are answered and reported promptly, accurately.
  16. Available metrics are used to confirm the hotline and other channels of communication are
  17. Compliance training and education effectively convey the commitment to compliance.
  18. There is evidence of employee understanding of compliance education programs.
  19. Employee participation in training is documented and filed.
  20. Policies address timely self-disclosures of overpayments and potential violations of law or regulation.
  21. Meaningful and consistent discipline occurs for conduct that violates the code.
  22. A process is in place to capture lessons learned from costly errors resulting from compliance weaknesses.
  23. Assessments are being conducted for all high-risk areas and corrective actions for identified weaknesses.
  24. Periodic surveys of employees to measure and evidence employee understanding of the compliance program; and in measuring the compliance culture of the organization.
  25. Compliance is included in management performance reviews and compensation.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Reminder to compliance officers—EMTALA is a high risk area

EMTALA enforcement is on the rise, and a good example of this was AnMed Health, a hospital located in South Carolina. The hospital recently agreed to pay $1.3 million for violating EMTALA; the largest such settlement to date and it included a CIA. This was as result of failing to provide appropriate screening examinations and stabilizing treatment to patients presented to the emergency department (ED) with psychiatric conditions. As large as the penalty was, the OIG indicated it would have likely been much larger, but AnMed was credited with being cooperative with the OIG during the investigation and having engaged in significant corrective action. It is worth recalling that the OIG issued new regulations that (1) increased the civil monetary penalty amounts for EMTALA violations and (2) encourage providers to self-report EMTALA violations to CMS in order to potentially receive more lenient penalties where there is a violation of the law. Compliance officers should ensure the EMTALA high-risk area is being addressed by ongoing monitoring and auditing. The following offers a suggestions and tips for Compliance officers provided by the Policy Resource Center that have detailed audit guides for high-risk areas, including EMTALA, as well as many related policies and procedures. For more information, contact them directly.

EMTALA Policies

Comprehensive EMTALA policies should address:

  • Who conducts screening with detailed screening protocols
  • Processes for reassessing patients after initial screenings
  • Screenings to be conducted by a physician or qualified medical personnel
  • Documentation and uniformity of screenings regardless of ability to pay
  • Conduct and timeframes for stabilization of patients as obligated under EMTALA
  • Process and patients’ rights for transfers
  • Requirements for physician certifications and medical record documentation for transfers
  • Processes for transfers into the hospital
  • Transfers to medical records and patient consent
  • Refusal for emergencies transfers and state-specific transfer requirements
  • Prohibition of retaliation against whistleblowers that make reports
  • Creating a method to internally report and address potential violations and timely conduct investigations
  • Any changes in the law or accreditation standards.

Training on Policies

The key to a successful EMTALA program is education so that the policies can be followed appropriately by frontline staff. All new staff assigned to the ED should first undergo intensive training on EMTALA policies and annual refresher training is advisable. The training should address scenarios of real life situations that prepare for making quick decisions on the job.

Determine EMTALA Investigating and Reporting Responsibility

EMTALA complaints can come from many sources, including other hospitals, patients, family members and ambulance companies. They frequently also are reported to CMS and the OIG.  It is critical that reported EMTALA issues are addressed promptly and appropriately and how this is handled is viewed seriously by regulatory and enforcement agencies. Clinical leadership should play a key role in this process, but they should understand when and how they would work with the compliance officer and legal counsel who will need to be involved in guiding investigations and interactions with government agencies. Investigations at the direction of legal counsel, especially outside counsel, will preserve privilege, especially since EMTALA provides for the potential for a private cause of action in malpractice cases.

22 Ongoing Auditing EMTALA Tips

  1. Verify that policies/procedures specifically address EMTALA compliance.
  2. Check to see that transfer policies and arrangements are being followed
  3. Determine if there are long delays in the ED
  4. Review triage and screening protocols and training
  5. Review on-call polices and contracts to ensure the ED has adequate coverage
  6. Review bylaws related to who can conduct screenings
  7. Ensure that staff members are not requesting payment prior to screening patients
  8. Review transfer forms and logs
  9. Conduct a medical record audit for screening and transfers
  10. Confirm whistleblower protections
  11. Review internal reporting chain
  12. Review training materials and documentation
  13. Verify specialists are on staff to meet the screening and stabilization requirements, as well as inpatient capabilities for stabilizing emergency patients
  14. Ensure there are no payments requested prior to screening patients
  15. Verify policies prohibit retaliation against whistleblowers that make reports
  16. Verify a method for internally reporting (e.g. hotline) and addressing potential violations
  17. Check to see there is a central log that is properly maintained for disposition and compliance with legal requirement
  18. Confirm that the physician on-call list reflects coverage of services available to inpatients
  19. Verify triaging of patients is being performed properly
  20. Verify all physicians come to the facility when called and are in compliance with the timeframes set forth in policies
  21. Confirm all transfers of individuals with un-stabilized EMCs are initiated either by (a) a written request for transfer or (b) a physician certification regarding the medical necessity for the transfer
  22. Verify there is an established a transfer request log to capture necessary information.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Defending against ransomware threat

Cyber attacks have risen to dramatic levels over the last two year and are likely averaging one attack a day, with the most disturbing trend involving ransomware. A survey by the American Health Lawyers Association indicated that virtually all healthcare lawyers believe they will be involved with cyber security matters with their client and the threat will continue to increase over the coming years. Data breaches include actions by those inside the organization, as well as external attacks including phishing, hacking, and ransomware. Ransomware typically involve a sophisticated computer virus introduced into a victim’s system that encrypts the system’s data.  The attackers threaten to delete the private key needed to decrypt the files unless the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. The healthcare industry, particularly hospitals, have proven to be a soft target, as they need to have immediate access to their patient information and many have paid the ransom to regain control over it. The healthcare sector is considered a “soft target” for Ransomware attacks, particularly hospitals that are the perfect mark for this kind of extortion in that they provide critical care and rely on up-to-date information from patient records. As such, compliance officers need to consider this a compliance high-risk area where ongoing monitoring and auditing applies.  Simply assuming that someone in IT is addressing this problem area can be a big mistake. At the same time, the compliance office is not responsible for the program, but is responsible to ensure that those that have that responsibility are doing their job, including IT and human resource management (HRM).

According to new studies reported, healthcare now ranks as the second highest sector for data security incidents, after business services. The “2017 Internet Security Threat Report” found that in healthcare (a) over half of emails contained spam; (b) one in 4,375 emails being a phishing attempt; and (c) email-borne ransom-ware spiked 266% over the previous year.  The Ponemon Institute further found breaches could be costing the healthcare industry $6.2 billion annually. All these studies indicate that the biggest vulnerability to cyber attacks is employees that let-down their guard when opening or responding to emails from unknown sources. Often “scammers” create the appearance of legitimate sites, including using similar names, emblems of companies and even government agencies, etc. (including the OIG and IRS). Once someone opens the door, all kinds of bad things can happen.

Practical Tips

  1. Implement policies and procedures on taking precautions against malware and train all covered persons on them.
  2. Ensure ongoing (repeated) training of employees to keep them aware and being on guard against allowing software breaches by clicking on an email link or attachment, or responding to “pfishing” inquiries.
  3. Don’t entirely rely upon employees to always do the right thing and provide assistance by configuring email servers to block zip or other files that are likely to be malicious.
  4. Restrict permissions to areas of the network by limiting the number of people accessing files on a single server, so that if a server gets infected, it won’t spread to everyone.
  5. Limit employee access to systems on a need to know standard.
  6. Security efforts should focus on those files that are most critical, patient records.
  7. Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate or remediate these identified risks.
  8. Maintain disaster recovery, emergency operations, and frequent data backups to permit restoring of lost data in case of an attack.
  9. Move quickly on any report of an attack to prevent the malware from spreading, by disconnecting infected systems from a network; disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.