Kusserow on Compliance: Free Webinar! Conducting Internal Investigation Interviews—Some Best Practices and Tips

Wolters Kluwer is hosting a complimentary webinar on January 26, 2017, entitled, “Best Practices for Conducting Internal Investigations.” The presenters are Richard P. Kusserow, former FBI executive and HHS Inspector General, and Kashish Chopra, JD. Both have extensive experience with conducting internal investigations. Today’s blog provides some tips on the most critical part of most investigations; conducting witness interview. This subject will be provided in more depth during the webinar.

Always project a professional image

This begins with how one is attired. An interview is a formal business meeting and those conducting them should dress accordingly. Dressing down in jeans or other casual clothing does not project a professional image. Those interviewed are not friends; and therefore investigators should not dress and act as if they were. The demeanor of interviewer is important to outcome of interview. If interviewer appears quietly competent and professional, it will encourage confidence in the individual being interviewed. It also reduces nervousness in innocent parties, increases nervousness in guilty ones. The manner should always be polite but firm. Cooperation is essential; intimidation is counter-productive and possibly disastrous in outcome. Treat those interviewed with dignity, respect, and courtesy; and avoid use of any investigative jargon or slang

Begin with why the person is being interviewed

Identify self and any others participating in the interview and explain the purpose of the investigation, along with the authority to conduct inquiry. Make it clear they have a duty to provide complete and accurate facts and explain their comments will be kept confidential to the degree possible

Take time to establish rapport

This is critical to the result of the interview. Beginning an interview with five or ten minutes of easy conversation has the advantage of reducing tension and increases better communication and cooperation. It also permits the investigator to observe the person and their behavioral patterns during this initial more relaxed discourse that often proves very valuable when assessing responses when questioning begins addressing more serious issue areas. Any rapport established can be easily lost by careless use of terms or phrases that may evoke negative connotations, or cause the person to become more defensive and less cooperative.

Best way to have a productive interview is to do one’s homework in advance

This means (a) knowing the objectives of the investigation; (2) having an investigative plan to achieve those objectives; (3) identifying facts needed to properly understand and assess the issues; and (4) what the person being interviewed may offer in terms of facts. It is useful to prepare the key points to be covered for use as a guide, but just going down a list of questions is a bad practice, as it turns the interview into something more akin to an interrogation. Use open-ended questions and allow the person to speak. Often they will cover many of the points on your guide in their discourse. At the end of the interview, review the guide to see if all the points were covered”.

Keep control of the interview by asking, not answering, questions

The interviewer is not the dispenser of information and, as such, they should not reveal the status of the work; offer opinions; indicate what has been found so far; or what has been said by others. Offer no opinions relating to the investigation. Losing sight of that principle often leads to losing control of the interview and is one of the major causes of bad outcomes in the process.

Always remember the interview purpose is to establish facts

It is critical that the investigator remain at all times focused on facts. It is common to have those being interviewed to drift off of facts, especially if they are uncomfortable with the direction of the interview. Therefore, always follow through on questions asked and not be diverted by other comments. Ensure basic questions such as who, what, where, when, how, and why have been addressed. Keep the questions simple and direct, avoiding compound sentences. Ask open-ended questions and allow the person to fully answer.

Take notes, discreetly

It is important to maintain the interview as much like a conversation as possible. Losing eye contact can throw the interview off and detract from results. As such, although it is critical to take notes throughout the interview, it should be done as discreetly as possible. This means writing only key words and phrases that can be filled out after the interview is over. Taking copious notes and losing eye contact risk turning the interview into something that may appear to the individual as an interrogation and makes individuals tighten up and be less forthright in their comments.

Click here to register.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips for protecting data against attacks and breaches

The media is filled with stories of data breaches in all business sectors. Larger organizations are not immune. In fact, the larger the organization, the better the target appears for attackers. The largest breaches have been with the Federal Government. In the health care sector, data breaches involving Protected Health Information (PHI) have been rising at a great rate. Patient records are very valuable and are sold on a per record basis. Providers are also considered “soft targets”, especially by those engaged in “Ransomeware” extortions; and many pay the demands to regain access to their patient records.

No one seems immune to these types of attacks. One can hardly forget that one of the biggest successful penetration attacks on data was with the U.S. Office of Personnel Management, where sensitive information was compromised, including the Social Security Numbers, of 21.5 million individuals, including 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Even law firms that provide advice on data security to their clients have been victimized and among those with the weakest controls to protect their data. Survey reporting by Marsh found four out of five of the largest 100 law firms had been hacked. As is common in any business arena, they noted that many don’t know they have been hacked. The following are best practice tips to assist in preventing and/or mitigating attacks and breaches.

  1. Have a dedicated information security officer that has the responsibility as well as the authority to adopt, implement, and enforce adequate security protocols, including ensuring (a) the IT infrastructure and data creation, transmission, and storage protect data from unauthorized disclosure; (b) ensuring legitimacy of data received, source and content; and (c) accessible for auditing and monitoring.
  1. Develop and implement data security policies for:
  • all external drives and mobile devices (including personally owned)
  • location and remote-erase options in case of loss or theft
  • data backup
  • installation of firewalls
  • data encryption
  • password protection
  • how to respond to any data breach
  • disaster recovery
  • records retention
  • business continuity in case of loss to data
  • uses of social media
  • vendors relation requirements
  • use of free public wi-fi
  1. Institute safeguards and device management to protect information, such as encryption and passwords for all devices (USB drives, cell phones, tablets)
  1. Engage in ongoing monitoring to ensure that policies and procedures are being properly followed; and periodic outside auditing of the systems.
  1. Train all covered persons on existing policies and procedure relating to data protection, and report any suspected unusual emails. This is important as most successful attacks are the result of email users opening attachments that give entry to a wrongdoer. Users are often the ones that detect early irregularities occurring as result of an attack and the quicker they report it, the better it is to contain the attack.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Growing use of the responsible corporate officer doctrine increases importance of effective compliance programs

For decades the Department of Justice (DOJ) and Office of Inspector General (OIG) has been increasing their usage of the responsible corporate officer (RCO) doctrine. The DOJ has been using the doctrine for decades in an ever widening set of circumstances in order to change the corporate culture of companies. Yet, the agency found that financial penalties alone are insufficient to do this.

The doctrine imposes strict liability on corporate officers based solely on their area of responsibility within the corporation, regardless of their knowledge of the underlying criminal activity or their participation in it. In 2010, the OIG issued a position paper on the doctrine that underscored the agency’s commitment to use its permissive exclusion authority against executives and board members that permitted wrongful activity through negligence.

On September 9, 2015, the DOJ came out with new guidelines on corporate conduct. It reflects an increased focus on individual accountability for corporate wrongdoing, both civil and criminal, and on the importance of corporate cooperation with prosecutors. The new guidance has the objective of directing attention on individual accountability for corporate wrongdoing to increase deterrence by holding individuals responsible for their actions. It also addresses the importance of corporate cooperation in the context of governmental investigations.

Key provisions of the DOJ prosecutor guidelines

  • Credit for cooperation. There must be complete disclosure of all relevant facts, including identification of all those involved in or responsible for the misconduct, regardless of their position, status, or seniority, and all facts relating to that misconduct. It will also depend upon timeliness of the cooperation; diligence, thoroughness, and speed of the internal investigation; and the proactive nature of the cooperation.
  • Prosecutors focus on individuals. The guidelines call for prosecutors to concentrate on individual wrongdoing from the inception of the investigation through the resolution of the case, including how a health care provider approaches a voluntary disclosure of billing errors; how employees respond to internal requirements for cooperation; and how employees conduct business with material legal implications in the absence of any government inquiry.
  • Protection of individuals not included in corporate settlements. The discouragement of agreeing to release officers, directors, and current and former employees from individual civil liability as a condition of the corporate resolution has been common in the past. This preserves the DOJ’s ability to pursue responsible individuals.
  • Civil enforcement against individuals not limited to ability to pay. The DOJ will no longer evaluate actions against wrongdoers solely on the basis of an ability to pay, but will focus more on deterrence on others. As such, the DOJ may pursue civil monetary penalties against lower level employees who likely lack the ability to recompense the government for its alleged losses or for applicable civil penalties.

10 tips for compliance officers

  • Study the RCO doctrine, know how it is being applied, and inform executives and board members of its significance in terms of personal liability.
  • Stress to management and board that the best RCO defense is an effective compliance program and that executive support of the program reduces their personal risks.
  • Provide annual education to the board on its fiduciary compliance obligations and duties.
  • Expect boards and executives to demand more evidence of compliance program effectiveness.
  • Look to developing and providing metric evidence of compliance program effectiveness.
  • Ensure program managers are engaged in ongoing monitoring of their programs.
  • Ensure an ongoing audit plan for all high risk areas to verify ongoing monitoring and validate that it is effective in addressing vulnerabilities.
  • Arrange for annual independent review of the compliance program by experts, as well as an independently administered compliance survey of employees, alternating methods employed.
  • Ensure that all allegations or complaints of wrongdoing are promptly and thoroughly investigated.
  • Verify executives are provided definitive written legal opinions before entering into agreement with referral sources or making decisions in compliance high risk areas.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Credit balances going to the top of the high risk list

Failing to reconcile credit balances and repaying overpayments has become a new and major threat to providers. Now these acts can be viewed as “reverse false claims” that could easily result in millions of dollars in penalties. The Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) mandated the report and return of overpayments within 60 days of those payments being “identified;” failure to do so creates a reverse false claim.

Credit balances generally occur when the reimbursement that a provider receives for services provided to a beneficiary exceeds the charges billed, such as when a provider receives a duplicate payment for the same services from another third-party payer. It was unclear when the clock on when these balances should be returned started ticking, as neither Congress nor CMS identified when this period begins, leaving it to interpretation by providers. This room for interpretation ended in July of 2015 with a decision by a federal court in a qui tam case. In that matter, the providers were charged with failing to timely investigate and resolve a suspected problem of receiving overpayments. The court ruled that notice of potential violations was sufficient to start the 60-day clock. Holding otherwise would permit willful ignorance to delay the formation of an obligation to repay the government money that is due, the court noted.

A new report, issued by the Office of Inspector General (OIG) has shed some light on to what extent this exposes providers to liability. The OIG examined provider overpayments in Medicaid programs and found that failing to identify and return Medicaid overpayments was a continuing problem. The agency performed reviews in eight states to update prior work on Medicaid credit balances and the report was already in draft when the federal court issued its new ruling. The report found efforts in many states were inadequate to ensure that providers were remitting overpayments in a timely manner and called upon CMS to establish a national Medicaid credit balance reporting mechanism and require its regional offices to monitor reporting.

In a sample review of eight providers in each of the eight highlighted states (total of 64 providers), the OIG report estimated unrecovered overpayments of $24,984,165 (of which $16,833,392 was the federal share). This tiny sample suggests that overpayments received and not paid could be a very significant amount of money. The OIG found that providers did not identify, report, and return Medicaid overpayments because the states did not require that providers exercise reasonable diligence in reconciling patient records. In some cases, it noted that some providers did not reconcile some patient records for more than six years.

Implications of the recent court action and new OIG report

Compliance officers should see a large red flag raised when considering the OIG report and the recent federal court decision. Together, we now see that the courts have drawn a clear line of what constitutes failure to timely remit payments and the OIG has demonstrated an ability to identify unreported overpayments. As such, compliance officers should place this issue near the top of compliance high risk areas. It is advisable to immediately begin to ensure that credit balance management is subject to ongoing monitoring as well as ongoing auditing. Failing to report overpayments may trigger reverse false claims that can result in millions of dollars of liability.

Tips for compliance officers

  • Al Bassett, JD, former Deputy Inspector General and FBI executive with 15 years of health care compliance consulting experience, advises “compliance officers to examine the credit balance issue and ensure that all overpayments are being identified in a timely matter and reported to the executive leadership and the board to ensure they are acted upon and paid back in a timely manner.”
  • Jillian Bower of the Policy Resource Center stated that “the court decision increases the importance of having written guidance already in place to address potential overpayments, including policies for conducting investigations, disclosure, as well as protocols between the compliance officer and legal counsel in handling complaints. Without such written guidance, matters could bog down and run out the clock.”
  • Carrie Kusserow, a senior consultant with over a decade of specialized experience with hotlines, observed that “the recent court case came from a whistleblower, as such it is critical to have an effectively operated hotline to quickly capture any reports of overpayment issues to promptly investigate the matter within the short time frame allowed under the court’s ruling and failing to do so becomes a ticking time bomb under the 60-day rule.”
  • Jim Cottos, who has served as an Interim Compliance Officer for many organizations, along with his experience as former Chief Inspector for the HHS OIG, advised that “organizations must have available trained people to quickly investigate and resolve overpayment issues.”
  • Dr. Cornelia Dorfschmid, a nationally recognized expert on analyzing claims, stated “the biggest challenge with identification of overpayment amounts is to do too little for too long. Hesitation can quickly turn into unreasonable delay and non-compliance. The compliance officer should not let that happen. Getting help from independent and objective experts with the determination of claims accuracy and statistical extrapolation, as well as secondary effects, such as on physician productivity and FMV [fair market value] compensation in RVU [relative value units] based models, is a good idea. It will carry a lot more weight with the government than if internal staff does the work. External review work in these cases is best done under direction of legal counsel.”
  • Camella Boateng, a senior compliance consultant brought up “the old adage that says ‘an ounce of prevention is worth a pound of cure.’ It is far better to avoid making billing errors than dealing with the consequences of failing to do so. As such it is worth remembering advice from the OIG to provide specialized compliance annual training regarding applicable billing rules for those involved in claims processing.”



Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.