Kusserow on Compliance: Codes of conduct part 2—16 tips for developing or revising codes

The code of conduct should be a statement of guiding principles for an organization with separate policies and procedures to provide more detailed guidance on how to meet them. It should be reviewed annually as part of ongoing monitoring to ensure it is current with applicable laws, regulations, policies, and standards.   Periodically, the code will need to be revised and updated.  The HHS Office of Inspector General (OIG) has provided a number of points it believes should be included in such a document.  It is worth reviewing them as part of either developing or revising the code.  The following are tips, considerations, and suggestions related to code development or revision.

  1. Gain buy-in from the top. All codes need buy-in and support from the top, beginning with Board approval and personal involvement and support of the CEO. They should not only provide input to the process, but ultimately approve the result.
  2. Determine responsibility for code review and revision. Most codes are developed and reviewed under the leadership of the compliance officer and human resources management (HRM) with a cross section of key persons from the various operational areas. The compliance officer, HRM, and legal counsel should actively drive the process.
  3. Code will affect policy development. The code should be analogous to a Constitution that outlines basic principles; policies are like law and regulations that are consistent with the Constitution. The code should have direct contact with and influence over compliance policy development.
  4. Form a committee to assist in development/revision of the code. It is important to gain wide buy-in for the code. It is advisable to form a committee consisting of individuals across various operational areas.   Their views and input will go a long way in selling the code to the entire workforce. The committee can assist in determining format and content of the code and can be used to meet target deadlines for completion.  The committee should include the compliance officer, legal counsel, HRM, Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104+191) privacy/security officers, and representatives from various operations.
  5. Develop a plan. Code development must follow a plan with timeframes for step completion and the respective roles for everyone involved in the process. All those involved in this effort needs to understand how it is going to function and the level of commitment necessary from them. The various development and approval steps, as well as timeframes for them, should be part of the plan.
  6. Consider using experts to facilitate the process. There is no need to reinvent the wheel. Code development or revision can be simplified, facilitated, and guided by compliance experts in this field. They can not only advise, but direct attention to key concepts that need to be included in the code, many of which have been outlined by the HHS OIG. They also have the advantage of avoiding turf issues that sometimes slow code making decisions.
  7. Decide upon size. The code should be a booklet, not a book. If the amount of content grows, employees’ attention to reading and absorbing the content declines. Detailed written guidance on complying with code provisions should be included in policies and procedures. Generally, codes should be about 20 pages or less.
  8. Establishing form and format. The best practice is to have each section in the code begin with an introductory statement of guiding principle, followed by bullet point standards in furtherance of that statement. Bullet points are easier for employees to follow than long narratives.
  9. Determine core content. Among the initial steps on Code development or revision is determining what is needed in terms of specific content. The code should address all stakeholders, including patients, employees, management, regulatory authorities, etc. The code should include a description of the compliance program and how to contact the compliance office via phone and email. It should also address regulatory and legal issues, including conflicts of interest, gifts and gratuities, high-risk areas, and compliance with the fraud statutes, including the Anti-Kickback Statute, Stark Law, etc.
  10. Address reporting of suspected problems. The code should clearly state that everyone has an affirmative duty to report any possible wrongdoing, along with a detailed outline of procedures for handling questions about compliance or ethical issues, and the channels by which they can report potential violations in confidence or anonymously without fear of retribution or retaliation. This includes provisions for how to report to the hotline.
  11. Decide on manner of dissemination. A decision needs to be made as to how the code will be made available to all covered persons, such as being posted on the organization’ s intranet, provided in hard copy with signature receipt, or a combination of both. If the code is not new, but one that has been revised, then steps need to be made to stop dissemination of the old version. The code should be addressed in all employee training sessions. In the case of compliance training, the code should be covered in some detail and copies of the code should be available at those sessions.
  12. Reference to policies and procedures. The code should be a document that sets for principles the way the Constitution does for the country, with policies providing more detailed written guidance, in the same way that laws and regulations do. Therefore, when the code is changed, revised, or updated, it is important to reference all policies to ensure they will be consistent with the code. Having a code and policies that conflict is a formula for migraines.
  13. Reading level. It is critical that the code be written at a level understandable by employees. Failure to do this can result in a document that cannot support adequately the compliance program goals of the organization. Finding the right reading level can be a challenge, as often there is a wide range of education, ranging from professional staff with graduate degrees to those without any degrees at all. The best practice is to try to create a document at the tenth grade reading level. The worst practice is to develop a document in legalese with footnotes to laws and regulations.
  14. Language. Many health care organizations have a significant percentage of their employees for whom English is a secondary language. The question to be determined therefore is whether the code should have versions in another language. If the decision is affirmative, care must be taken that the translation is very accurate, as nothing can create a bigger headache than multiple interpretations between documents in different languages.
  15. Date the document and formally rescind the old version. If a question arises concerning written guidance to employees, it is important to have evidence of what guidance was in place during the period in question.
  16.  Acknowledgement and attestation. There should be a form evidencing receipt of the code by covered persons, along with a form to be signed by the person attesting his or her understanding and compliance with the terms of the code. Such forms should be kept on file by HRM.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Codes of conduct part 1—Meeting the challenge of developing and revising codes

Without question, one of the basic foundations of any effective compliance program is the code of conduct. All compliance guidance from the U.S. Sentencing Commission to the HHS Office of Inspector General (OIG) has called for having such a foundation document for any effective compliance program.  Many codes are far out of date and fail to provide the needed guidance for employees on their obligations toward compliance.  A round table of compliance experts, experienced in developing and revising codes, offered the following observations and ideas on the subject.

Tom Herrmann, J.D., was a leader in the OIG General Counsel’s office when the first guidance was published and has since assisted many organizations in drafting and/or revising codes of conduct. He observed that the initiation of OIG compliance program guidance provided the major stimulant for having codes of conduct.  Others have added weight to code development, including the Sentencing Commission, Department of Justice (DOJ), and The Joint Commission (TJC).  In the early days of responding to such guidance, it was common for law firms and others to provide template codes that were imbedded in what organizations referred to as their ‘Compliance Plan.’ However, plans are statements of intent and converting them into fully functioning and effective programs has taken years for some organizations.  Unfortunately, many are still ‘stuck in first gear’ and have not converted their plans into effective programs.  This includes bringing their codes up to date by reviewing, revising, and updating them, along with related compliance policies.

Steve Forman, CPA, has decades of experience as a compliance officer, internal auditor, and compliance consultant. He reminds people that compliance programs and all that falls under them should be subject of ongoing monitoring, as called for in compliance guidance.  Codes should be part of that process to ensure it remains timely and consistent with policy development and changes in regulatory environment. A review of the code should be done annually to ensure it is up to date. As compliance-related laws are passed or revised, or internal policies are developed or revisited, a company must adapt and respond quickly to the changing legal and regulatory environment. This includes updating the code. The code review process can be a major undertaking and should be approached with careful planning and involvement of the right people.

Carrie Kusserow has been developing codes of conduct for fifteen years and believes they should be an elaboration on the organization’s mission or vision and identify specific values that help accomplish the mission. To be truly effective, the code needs to reflect the spirit, tone, and culture of the organization. This means having the Board and executive leadership supporting and approving the document. If it doesn’t ring true to staff, securing their participation and cooperation in the compliance program will be much more difficult.  Furthermore, the context for the review of a code should be whether there have been problems with covered persons understanding the content. For many organizations, the code may have been written at a level beyond many employees’ understanding.  Kusserow strongly recommends that the code be written at no higher than the tenth grade reading level.

Camella Boateng, another expert who has both been a compliance officer and a consultant, makes the point that the OIG has repeatedly stated that when it comes to compliance programs, including the code and policies, there is no “one size fits all.” Though this is the case, there are certain best practices, such as beginning the code with an introductory statement and strong endorsement from the CEO.  This should make it very clear that everyone in the organization is expected to act in an ethical manner and abide by all applicable laws and regulations affecting the organization. It should also state that it is everyone’s duty to report suspected wrongdoing, and they can do so without fear of retaliation.  The body of the code should address all the stakeholders in the organization, including the patients being served, employees, management, and regulatory agencies.

Suzanne Castaldo, J.D., worked with many clients in revising and updating their codes and found that too many codes have been written more like legal briefs than user-friendly advice. Some of the least useful codes she has reviewed included legalese with formal footnotes.  That is not user friendly. Rather, the code should be presented in the form of general guidelines to assist employees in understanding appropriate conduct and ways to deal with improper behavior.   The OIG compliance guidance documents call for including in codes the operation of the compliance program, along with explanations of applicable laws, such as the Anti-Kickback Statute, Stark Laws, and fraud statutes.

Jillian Bower, an expert on code and policy development, suggests that reviewing a variety of codes of organizations in the same sector provides a good benchmark for comparison and may provide ideas and insights that could be incorporated into revisions. She has found that one of the biggest problems in the way codes are presented to employees occurs when they are written like journal articles in lengthy paragraphs, making them too long and complicated in presentation.  She believes it is important to divide the code into topical subjects headed by an introductory statement of principles, followed by short bullet points that set standards for meeting them.

Al Bassett, J.D., has more than 30 years’ experience with compliance guidance. He believes the most effective means to develop or revise a code that will have wide acceptance and buy-in by everyone is to use a broad-based committee, under the leadership of the compliance officer, that provides input from a variety of perspectives.  Critical to such an effort is having human resources management and legal counsel be part of the effort.   However, he has found that sometimes an effort by a committee gets bogged down for a variety of reasons, including determining the form and format for the code, subject matter to be included, amount of detail needed, timing problems, etc.  Failure to keep the process moving on track is important.  As such, it is best to establish a plan at the beginning of the effort that has firm deadlines for each stage of the process.  If management of this process is considered a problem, outside experts could be considered to facilitate matters.  They can be useful for three reasons:  (1) as outsiders they can sidestep ‘turf’ issues; (2) they have done it many times before and know how to focus the process; and (3) they have the credibility from doing this before.

All were invited to provide specific tips and suggestions for effective development and/or revision of codes of conduct that will be summarized in a March 9, 2017, blog posting.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Compliance officers being effective

Today, organization leadership wants to feel confident that its compliance officer is effective in guarding against government intervention, litigation, and other unwanted events that give rise to liabilities. The challenge is how to convince everyone they are effective in what they do.  Experts with years of experience as both compliance officers and advisory compliance consultants to organizations were asked to provide some insights and suggestions for compliance officers.

Al Bassett, J.D., is a retired Deputy Inspector General and nationally recognized expert on health care compliance programs who has worked on evaluating effectiveness of dozens of compliance programs. He believes that to be effective, the compliance officers must always be selling the benefits of a successful program, as well as the consequences for not having one, to the Board and executive leadership. Once they are on board, then the selling must continue with managers and first line supervisors, and finally with the rank and file employees, physicians, and medical staff.

Carrie Kusserow has 15 years’ experience as a compliance officer, interim compliance officer, and compliance consultant to many organizations. She agrees and says, without question, the biggest sales target has to the Board, in that once it is sold, executive leadership will follow suit. It needs to know and understand what is required of it by enforcement and regulatory agencies, as well as the personal risks for ignoring its fiduciary compliance oversight responsibilities.  The HHS Office of Inspector General (OIG), along with the American Health Lawyers Association, has been issuing ‘White Papers” on Board obligations.  The most recent was Practical Guidance for Health Care Governing Boards on Compliance Oversight. The OIG is now incorporating this guidance into mandates for the CIAs.

Tom Herrmann, J.D., retired from the HHS OIG Office of Counsel to the Inspector General (IG) and then became a compliance officer and consultant to many organizations. He states that once there is “buy-in” from leadership, it is important to cultivate sound working relationships with other functions that overlap with compliance, including human resources (HR), Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) privacy and security officers, legal counsel, and internal audit.  In far too many organizations, these functions operate at cross purposes with one another and engage in turf battles, so as to have a serious negative impact on compliance officer effectiveness. There is a need to focus on developing cooperation and coordination of effort, along with developing protocols (policy documents) that establish working relationships and methods of cooperative effort.

Steve Forman, CPA, is another veteran of the HHS OIG, where he served as Director of Operations; he followed this with more than twenty years’ experience as a compliance officer and consultant. He sees the most successful and effective compliance officers as having been able to convince first-line managers to carry the compliance message to their subordinates by word and example.  The words they say and the attitudes they project to their staff are powerful, more so than pronouncements from the compliance officer or even the executive leadership.  Compliance officers selling themselves as being effective can be quickly enhanced by personally meeting with and talking to first-line supervisors and managers about the compliance program.

Jillian Bower has worked with dozens of compliance officers in advancing their programs. She points out that it is important to maintain ongoing metrics to benchmark progress of the compliance program to reassure executive leadership and the Board that the compliance officer is being effective in protecting the organization from unwanted events or acts that could give rise to liabilities.   She has found that one of the most useful means of doing this has been employing a professionally developed and independent administered compliance knowledge survey that evidences employee understanding of the program. The best surveys are anchored in a large database to permit comparison to other health care entities; and used periodically they also can measure benchmarks and progress in the program and further evidence compliance officer effectiveness.

Kash Chopra, J.D., has worked with a number of clients with their compliance programs, in addition to have served as an interim compliance officer. She believes effective compliance officers are successful in promoting employee compliance communication channels, particularly hotlines, that ensure complaints and allegations are promptly investigated and resolved professionally. If the workforce does not believe the organization is receptive to its concerns and nothing happens to its input, the compliance officer and program will never be fully effective. In addition, the compliance officer needs to be visible and available to hear employee concerns.  Chopra believes in walking around and being available to talk with people about their jobs, thoughts, and concerns.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: When a CIA looms, it is time to seek a new job, career change, or hiding place, or take action

When organizations fall under the spotlight of the Department of Justice (DOJ), there is a period of many months before a settlement is negotiated that is followed by another negotiation process with the HHS Office of Inspector General (OIG) that leads to a corporate integrity agreement (CIA). By time of settlement, or shortly thereafter, it is common to find the compliance officer has left, as many  see the warning signals and decide to leave, or later are asked to do so.  When this happens, there begins a struggle to replace the compliance officer.   This is not an easy thing to accomplish as it take three to five months on average to find someone qualified and is complicated by the fact that many would-be candidates may not wish to take on a “fire storm” job at the outset of a five-year stringent CIA set of terms and condition.   All this takes place at a time when CIA terms will be adding great new burdens on the compliance program.

Replacing compliance officers

One short-term solution, when replacing the compliance officer, is to designate someone in-house to act until the gap can be filled by a permanent appointment.   This is seldom a good solution.  At a time when a steady, experienced, aggressive, and professional hand is needed to meet the immediate challenges of meeting the stringent compliance mandates of a CIA, the temporary appointee will be just trying to hold things together, without creating any future problems for themselves.   The alternative is hiring an interim compliance officer, until the right permanent solution can be found. This has the benefit of using someone who knows what has to be done and will be replaced within a matter of a few months.  This permits a steadier hand and includes the benefit of having someone to independently assess the state of the program and move on a plan to strengthen it.

Compliance officers who want to keep their jobs

Those desiring to keep their jobs cannot afford to wait in the wings to see what develops while the attorneys are negotiating with the DOJ and OIG.   It is dangerous and career-threatening.  They need to shore up the program and be considered part of the solution.  While negotiations are underway, the attorneys focus on the transaction terms with the government to resolve the pending issues, and not necessarily the consequences of living with the negotiated terms.  This may take many months, during which time the compliance officer needs to act affirmatively and with celerity to strengthen his or her position, before the CIA descends and the attention is redirected back to compliance.  The OIG follows predictable patterns in setting terms and conditions. Anticipating and preparing for what is coming with the CIA is being smart and, quite frankly, a job security effort.   The time should be used to educate management and the Board on what to expect, as well as preparing for what will come.

Evidencing compliance program effectiveness

Compliance officers should move at the earliest date to develop independent evidence that the program is operating the way it should and the problems that gave rise to the government intervention were an aberration. This also will help the attorneys in negotiating terms and conditions. It is wise to consider having an independent compliance program evaluation done by experts far in advance of the CIA mandates going into effect that will mandate the Board to hire a compliance expert to do the same thing. This will provide evidence of program strengths and identify areas of opportunities for improvement, as well as provide time for taking corrective action to address any weaknesses.  Results can be presented to the executive leadership and Board; attorneys may find them useful in negotiating settlement terms.  This further keeps the whole effort under direction of the compliance officer, who can take credit for the identified strengths in the program, as well as in addressing any findings otherwise.  If this is not done well in advance, then all findings will come from the Board-engaged compliance expert and reflect negatively on the compliance officer. There is a big added benefit, in that the independent assessment will likely become the framework for the Board-engaged compliance expert to focus attention to determine if all the corrective action measures have been addressed, rather than developing his or her own review criteria.

Help identify potential Board compliance experts

After a settlement, there usually is a big scramble to find qualified parties to be the independent review organization (IRO) and Board compliance expert.   It takes a lot more time and effort to find the right qualified parties to do this kind of work than to properly vet them.   The fact is there are relatively few such experts with the requisite experience.  It is therefore useful for the compliance officer to have researched the subject long before any CIA is signed or anyone else is focused on this.   Laying a proper foundation for identifying qualified candidates can help the compliance officer to be seen as part of the solution to the challenges facing the organization.  When it comes to compliance experts, it is very important engage parties with considerable experience doing this kind of work. Engaging inexperienced people as compliance experts is risky and unpredictable. Inexperienced people also tend to be more costly as they charge money while learning what needs to be done.  The more experience with this kind of work under a CIA, the better for gaining efficient result.  Those who have done this work before know what needs to be done and have a track record with the OIG.  It also permits reference checking on how well they did with organizations that used them.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.