Kusserow on Compliance: Codes of conduct part 2—16 tips for developing or revising codes

The code of conduct should be a statement of guiding principles for an organization with separate policies and procedures to provide more detailed guidance on how to meet them. It should be reviewed annually as part of ongoing monitoring to ensure it is current with applicable laws, regulations, policies, and standards.   Periodically, the code will need to be revised and updated.  The HHS Office of Inspector General (OIG) has provided a number of points it believes should be included in such a document.  It is worth reviewing them as part of either developing or revising the code.  The following are tips, considerations, and suggestions related to code development or revision.

  1. Gain buy-in from the top. All codes need buy-in and support from the top, beginning with Board approval and personal involvement and support of the CEO. They should not only provide input to the process, but ultimately approve the result.
  2. Determine responsibility for code review and revision. Most codes are developed and reviewed under the leadership of the compliance officer and human resources management (HRM) with a cross section of key persons from the various operational areas. The compliance officer, HRM, and legal counsel should actively drive the process.
  3. Code will affect policy development. The code should be analogous to a Constitution that outlines basic principles; policies are like law and regulations that are consistent with the Constitution. The code should have direct contact with and influence over compliance policy development.
  4. Form a committee to assist in development/revision of the code. It is important to gain wide buy-in for the code. It is advisable to form a committee consisting of individuals across various operational areas.   Their views and input will go a long way in selling the code to the entire workforce. The committee can assist in determining format and content of the code and can be used to meet target deadlines for completion.  The committee should include the compliance officer, legal counsel, HRM, Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104+191) privacy/security officers, and representatives from various operations.
  5. Develop a plan. Code development must follow a plan with timeframes for step completion and the respective roles for everyone involved in the process. All those involved in this effort needs to understand how it is going to function and the level of commitment necessary from them. The various development and approval steps, as well as timeframes for them, should be part of the plan.
  6. Consider using experts to facilitate the process. There is no need to reinvent the wheel. Code development or revision can be simplified, facilitated, and guided by compliance experts in this field. They can not only advise, but direct attention to key concepts that need to be included in the code, many of which have been outlined by the HHS OIG. They also have the advantage of avoiding turf issues that sometimes slow code making decisions.
  7. Decide upon size. The code should be a booklet, not a book. If the amount of content grows, employees’ attention to reading and absorbing the content declines. Detailed written guidance on complying with code provisions should be included in policies and procedures. Generally, codes should be about 20 pages or less.
  8. Establishing form and format. The best practice is to have each section in the code begin with an introductory statement of guiding principle, followed by bullet point standards in furtherance of that statement. Bullet points are easier for employees to follow than long narratives.
  9. Determine core content. Among the initial steps on Code development or revision is determining what is needed in terms of specific content. The code should address all stakeholders, including patients, employees, management, regulatory authorities, etc. The code should include a description of the compliance program and how to contact the compliance office via phone and email. It should also address regulatory and legal issues, including conflicts of interest, gifts and gratuities, high-risk areas, and compliance with the fraud statutes, including the Anti-Kickback Statute, Stark Law, etc.
  10. Address reporting of suspected problems. The code should clearly state that everyone has an affirmative duty to report any possible wrongdoing, along with a detailed outline of procedures for handling questions about compliance or ethical issues, and the channels by which they can report potential violations in confidence or anonymously without fear of retribution or retaliation. This includes provisions for how to report to the hotline.
  11. Decide on manner of dissemination. A decision needs to be made as to how the code will be made available to all covered persons, such as being posted on the organization’ s intranet, provided in hard copy with signature receipt, or a combination of both. If the code is not new, but one that has been revised, then steps need to be made to stop dissemination of the old version. The code should be addressed in all employee training sessions. In the case of compliance training, the code should be covered in some detail and copies of the code should be available at those sessions.
  12. Reference to policies and procedures. The code should be a document that sets for principles the way the Constitution does for the country, with policies providing more detailed written guidance, in the same way that laws and regulations do. Therefore, when the code is changed, revised, or updated, it is important to reference all policies to ensure they will be consistent with the code. Having a code and policies that conflict is a formula for migraines.
  13. Reading level. It is critical that the code be written at a level understandable by employees. Failure to do this can result in a document that cannot support adequately the compliance program goals of the organization. Finding the right reading level can be a challenge, as often there is a wide range of education, ranging from professional staff with graduate degrees to those without any degrees at all. The best practice is to try to create a document at the tenth grade reading level. The worst practice is to develop a document in legalese with footnotes to laws and regulations.
  14. Language. Many health care organizations have a significant percentage of their employees for whom English is a secondary language. The question to be determined therefore is whether the code should have versions in another language. If the decision is affirmative, care must be taken that the translation is very accurate, as nothing can create a bigger headache than multiple interpretations between documents in different languages.
  15. Date the document and formally rescind the old version. If a question arises concerning written guidance to employees, it is important to have evidence of what guidance was in place during the period in question.
  16.  Acknowledgement and attestation. There should be a form evidencing receipt of the code by covered persons, along with a form to be signed by the person attesting his or her understanding and compliance with the terms of the code. Such forms should be kept on file by HRM.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG warns board of consequences for failing to meet compliance oversight responsibilities

CIAs are rapidly changing with additional provisions that include Board members

Upcoming webinar will address the full range of changes in CIAs

At the Health Care Compliance Association (HCCA) conference just concluding, the HHS Office of Inspector General (OIG) warned that in working out terms and conditions of a Corporate Integrity Agreement (CIA), the OIG will look for evidence of whether the Board was actively involved in oversight of the compliance program. If it determines that the Board was derelict in meeting its fiduciary responsibilities, the OIG will consider that a contributing factor that led to the need for government intervention. The weaker the Board oversight, the more stringent the requirements that are placed on the Board in the settlement agreement. In cases where the OIG finds that the Board has not been providing the proper oversight of the compliance program, the OIG will add mandates for personal certifications of Board members regarding the compliance program that includes mandated certifications by individual Board members on the effectiveness of the program. To ensure that Boards are attentive to this responsibility, the OIG may require the Board to engage a Compliance Expert to assist in meeting the Board’s obligations and the report made part of each Annual Report filing. These provisions place a heavy personal burden on Boards. Furthermore, CIAs often include a stipulated penalty for non-compliance with deadlines, as well as $50,000 penalties for each false certification that may also implicate the False Claims Act.

For 20 years, the OIG has been calling for a “top-down” compliance program, beginning at the Board level, that includes issuing White Papers, such as “Practical Guidance for Health Care Governing Boards on Compliance Oversight,” and emphasizing holding Boards more accountable for proper oversight of compliance within organizations. Language from these pronouncements about Board obligations and use of Compliance Experts is now included in CIAs.

Tips for Compliance Officers

  1. Review OIG “White Papers” and new CIAs to lean what the OIG considers as best practices for boards
  1. Educate and warn the Board on their fiduciary obligations and personal consequences for failing to meet them.
  1. Suggest the Board include someone who is “compliance literate” that knows what questions to be asked and assess program effectiveness (e.g., compliance officer experience or a compliance consultant).
  1. Provide the Board with solid evidence concerning the operation of the compliance program, such as engaging a Compliance Expert to assess and evaluate the program and providing the Board with evidence of an active program and identifying opportunities for improvement.

Register now to attend a free webinar on Thursday, April 6, 2017 titled “Compliance Accountability: Lessons Learned from Implementing Corporate Integrity Agreements” and presented by Thomas Herrmann, JD, former Chief of the Litigation Branch for the OIG and Appellate Judge for Medicare Appeals, along with Carrie Kusserow, MBA, CHC, CHPC, CCEP, who has 15 years’ experience as a compliance officer and consultant. Both are experts on compliance programs, as well as meeting the terms and obligations of Corporate Integrity Agreements.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Codes of conduct part 1—Meeting the challenge of developing and revising codes

Without question, one of the basic foundations of any effective compliance program is the code of conduct. All compliance guidance from the U.S. Sentencing Commission to the HHS Office of Inspector General (OIG) has called for having such a foundation document for any effective compliance program.  Many codes are far out of date and fail to provide the needed guidance for employees on their obligations toward compliance.  A round table of compliance experts, experienced in developing and revising codes, offered the following observations and ideas on the subject.

Tom Herrmann, J.D., was a leader in the OIG General Counsel’s office when the first guidance was published and has since assisted many organizations in drafting and/or revising codes of conduct. He observed that the initiation of OIG compliance program guidance provided the major stimulant for having codes of conduct.  Others have added weight to code development, including the Sentencing Commission, Department of Justice (DOJ), and The Joint Commission (TJC).  In the early days of responding to such guidance, it was common for law firms and others to provide template codes that were imbedded in what organizations referred to as their ‘Compliance Plan.’ However, plans are statements of intent and converting them into fully functioning and effective programs has taken years for some organizations.  Unfortunately, many are still ‘stuck in first gear’ and have not converted their plans into effective programs.  This includes bringing their codes up to date by reviewing, revising, and updating them, along with related compliance policies.

Steve Forman, CPA, has decades of experience as a compliance officer, internal auditor, and compliance consultant. He reminds people that compliance programs and all that falls under them should be subject of ongoing monitoring, as called for in compliance guidance.  Codes should be part of that process to ensure it remains timely and consistent with policy development and changes in regulatory environment. A review of the code should be done annually to ensure it is up to date. As compliance-related laws are passed or revised, or internal policies are developed or revisited, a company must adapt and respond quickly to the changing legal and regulatory environment. This includes updating the code. The code review process can be a major undertaking and should be approached with careful planning and involvement of the right people.

Carrie Kusserow has been developing codes of conduct for fifteen years and believes they should be an elaboration on the organization’s mission or vision and identify specific values that help accomplish the mission. To be truly effective, the code needs to reflect the spirit, tone, and culture of the organization. This means having the Board and executive leadership supporting and approving the document. If it doesn’t ring true to staff, securing their participation and cooperation in the compliance program will be much more difficult.  Furthermore, the context for the review of a code should be whether there have been problems with covered persons understanding the content. For many organizations, the code may have been written at a level beyond many employees’ understanding.  Kusserow strongly recommends that the code be written at no higher than the tenth grade reading level.

Camella Boateng, another expert who has both been a compliance officer and a consultant, makes the point that the OIG has repeatedly stated that when it comes to compliance programs, including the code and policies, there is no “one size fits all.” Though this is the case, there are certain best practices, such as beginning the code with an introductory statement and strong endorsement from the CEO.  This should make it very clear that everyone in the organization is expected to act in an ethical manner and abide by all applicable laws and regulations affecting the organization. It should also state that it is everyone’s duty to report suspected wrongdoing, and they can do so without fear of retaliation.  The body of the code should address all the stakeholders in the organization, including the patients being served, employees, management, and regulatory agencies.

Suzanne Castaldo, J.D., worked with many clients in revising and updating their codes and found that too many codes have been written more like legal briefs than user-friendly advice. Some of the least useful codes she has reviewed included legalese with formal footnotes.  That is not user friendly. Rather, the code should be presented in the form of general guidelines to assist employees in understanding appropriate conduct and ways to deal with improper behavior.   The OIG compliance guidance documents call for including in codes the operation of the compliance program, along with explanations of applicable laws, such as the Anti-Kickback Statute, Stark Laws, and fraud statutes.

Jillian Bower, an expert on code and policy development, suggests that reviewing a variety of codes of organizations in the same sector provides a good benchmark for comparison and may provide ideas and insights that could be incorporated into revisions. She has found that one of the biggest problems in the way codes are presented to employees occurs when they are written like journal articles in lengthy paragraphs, making them too long and complicated in presentation.  She believes it is important to divide the code into topical subjects headed by an introductory statement of principles, followed by short bullet points that set standards for meeting them.

Al Bassett, J.D., has more than 30 years’ experience with compliance guidance. He believes the most effective means to develop or revise a code that will have wide acceptance and buy-in by everyone is to use a broad-based committee, under the leadership of the compliance officer, that provides input from a variety of perspectives.  Critical to such an effort is having human resources management and legal counsel be part of the effort.   However, he has found that sometimes an effort by a committee gets bogged down for a variety of reasons, including determining the form and format for the code, subject matter to be included, amount of detail needed, timing problems, etc.  Failure to keep the process moving on track is important.  As such, it is best to establish a plan at the beginning of the effort that has firm deadlines for each stage of the process.  If management of this process is considered a problem, outside experts could be considered to facilitate matters.  They can be useful for three reasons:  (1) as outsiders they can sidestep ‘turf’ issues; (2) they have done it many times before and know how to focus the process; and (3) they have the credibility from doing this before.

All were invited to provide specific tips and suggestions for effective development and/or revision of codes of conduct that will be summarized in a March 9, 2017, blog posting.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG reports Medicaid Fraud Control Units results for 2016

The HHS Office of Inspector General (OIG) is the designated Federal agency that oversees state Medicaid Fraud Control Units (MFCUs). It issued a report on their statistical results for 2016. MFCUs are charged with investigating and prosecuting patient abuse or neglect in nursing homes and hospitals, as well as in assisted living facilities. Seventy-five percent of MFCU funding comes from the federal government. The OIG administers the grant to each of the units, sets performance standards, reviews each state’s program, provides technical assistance identify best practices, and collects and analyzes statistics. There are MFCUs in 49 states and the District of Columbia with funding of $258,698,147. With a staffing of 1,965 investigators, auditors, and attorneys, they investigated 15,505 fraud cases and another 3,221 abuse and neglect cases. This resulted in 1,564 criminal convictions and 998 civil settlements. They also achieved a total $1,876,532,842 in monetary recoveries with $368,498,733 from criminal actions, $1,225,709,487 in civil settlements, and $282,324,622 from other actions.  MFCUs most often work their own cases without assistance from other agencies. The OIG works a lot of cases with the MFCUs and in 2016, these cases resulted in 312 indictments, 348 criminal actions, and 222 civil actions. These Medicaid cases–some of which also involved Medicare–resulted in almost $3 billion dollars in expected recoveries.

The results of individual units can be found in the OIG report, along with a more detailed statistical breakdown of data. For comparison in results, the OIG issued a detailed report for 2015, noting that the MFCUs achieved 1,553 convictions, 731 civil settlements and judgments, and $744 million in criminal and civil recoveries. In this report, the OIG provided a detailed breakdown of the types of cases and trending data.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.