Kusserow on Compliance: Compliance officers should have active roles in CIA negotiations

Laura Ellis, HHS Office of Inspector General (OIG) Senior Counsel, has a reputation for managing the most difficult and complicated corporate integrity agreements (CIAs) on behalf of the OIG. At the recent Health Care Compliance Association (HCCA) Compliance Institute, she urged compliance officers not to sit on the sidelines while a CIA is being negotiated with the OIG.   They should be actively involved in all facets of negotiation and should not wait to be involved until the agreement is signed and put into effect. She reminded everyone that once the CIA is signed, the compliance officer will be the face of the company to the OIG, not the attorneys.   From years of experience, she has found attorneys negotiating terms and conditions of a CIA often don’t have the operational experience to fully understand all the implications of what is being committed to in terms and obligation. As a result, it is not uncommon for attorneys to come back to the OIG after a CIA has been executed to try to renegotiate points.   This is triggered as result of management and the compliance officer realizing what is involved in meeting the terms and condition.   Ellis stated that the OIG is not inclined to reopen CIA negotiations.  The mistake was not having the compliance officer on the front end of negotiations and present during the negotiation process.  As the CIA settlement process takes shape, the compliance officer needs to:

  • be part of the negotiations;
  • review and comment on all drafts;
  • create a basic plan from the draft to determine what it takes to meet obligations;
  • conduct a min-gap assessment of what it takes to do what the CIA would require;
  • begin work on implementation strategies; and
  • start the process to determine resource needs to meet obligations.

Ellis also made the point that attitude matters once a CIA is in place, and compliance officers should work with the monitor in an open and honest way. A positive working relationship between the monitor and the compliance officer is to everyone’s best interest.  The earlier in the process that they get to know each other, the better.

Thomas Herrmann, J.D., was previously responsible on behalf of the OIG for negotiating CIAs and providing monitors, and subsequently gained many years of consulting experience working with more than a dozen clients with CIAs and as an independent review organization (IRO).  He says that what many fail to understand is that, although the OIG is involved in the Department of Justice (DOJ) settlement process, a different OIG attorney will be assigned as negotiator for the CIA.  Once the agreement is executed, it is passed on to a different OIG attorney to be the monitor to assure compliance with the terms of the CIA.   A very common mistake is for attorneys to deal with issues handled by someone earlier in the process, or in effect, re-litigate.  This is a big mistake.  The OIG will not re-litigate or interpret decisions made by the DOJ.  At the same time, the OIG monitor is definitely disinclined to deal with issues that were or should have been addressed with the OIG negotiator.  Herrmann goes on to explains that the OIG views the organization’s legal counsel as filling an adversarial role, but once things are executed, the OIG does not want to continue dealing with the advocate.  The focus of the relationship with the OIG should be on meeting the terms of the CIA. Herrmann sees it as a huge mistake for the legal counsel to continue making arguments or try to modify terms with the monitor, as this frequently leads to aggravation of matters and creates additional problems for the organization.  The monitor wants to deal with how the organization will meet its obligations, and that means working with the compliance officer to determine how the terms and conditions of the CIA will be fulfilled.  It behooves compliance officers to get to know their monitor as quickly as possible, evidence their commitment, and exhibit an attitude to work out what it takes to get the job done.

Carrie Kusserow has over 15 years’ compliance officer and consultant experience; in fact, she was brought in to be the compliance officer to an organization under a CIA while Laura Ellis was the monitor. Her experience with Ellis was precisely what Ellis explained during her presentation.   Maintaining the focus on meeting the obligations of the agreement is very important for credibility and permits ironing out of issues. By listening carefully and responding to Ellis’ questions openly in a forthright manner, Kusserow developed a very good working relationship.  This made work easier for everyone.  Compliance officers need to listen carefully to what the monitor expresses, working as needed and then immediately following up to report actions taken. The focus must stay on getting the job done to the satisfaction of the OIG.  It is also critical that the compliance officer at all times be “straight up” and honest with the OIG.  If this is done, then a bond of trust can be developed that can iron out details that are sure to arise. This can permit seeking non-adversarial clarification of terms and conditions. On the other hand, failing to develop a proper working relationship with the monitor can result in lack of understanding and increased work for everyone. As such, as soon as the CIA is signed, the compliance officer should come into direct contact with the OIG monitor.

Suzanne Castaldo, J.D., has worked both as a litigator and compliance consultant dealing with numerous organizations with CIAs. She confirmed what Ellis noted about attorneys negotiating with the OIG without active involvement of either management or the compliance officer. In almost every case, it has created avoidable issues.  She strongly recommends that anyone engaging a law firm to assist with CIA negotiations insist on including knowledgeable members of management and the compliance officer in all meetings with the OIG.  All terms that are being negotiated should be reviewed and assessed by them to understand all implications and resulting work obligations. Many attorneys will not find this to their liking and may argue against it.   However, not being part of this process reminds one of “arriving at the dance after it is over.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

OIG reviews MassHealth and its Medicaid data and information system safeguards

MassHealth failed to adequately safeguard data and information systems through its Medicaid Management Information System (MMIS) according to an audit by the HHS’ Office of Inspector General (OIG) undertaken to determine whether Massachusetts safeguarded MMIS data as required under federal requirements.

What is MMIS?

The MMIS is “an integrated group of procedures and computer processing operations (subsystems) developed at the general design level to meet principal objectives” which are: Title XIX program control and administrative costs; service to recipients, providers and inquiries; operations of claims control and computer capabilities; and management reporting for planning and control. States receive 90 percent federal financial participation (FFP) for design, development, or installation of MMIS and 75 percent FFP for operation of state mechanized claims processing and information retrieval systems.

MassHealth MMIS

The Massachusetts Executive Office of Health and Human Services is responsible for administering the state Medicaid program, commonly known as MassHealth, and information technology architecture, maintenance, and support is provided by the Massachusetts Office of Information Technology. Application support is provided through a contract with Hewlett-Packard.

The audit

Audits of information security controls are performed routinely on states’ computer systems used to administer HHS-funded programs and states are required to implement computer system security requirements and review them biennially. The OIG’s audit of MassHealth’s MMIS included MassHealth’s websites, databases, and other supporting information systems. The review was limited to security control areas and controls in place at the time of the visit. Specifically, the OIG looked at MassHealth’s implementation of federal requirements and National Institute of Standards and Technology guidelines regarding: system security plan, risk assessment, data encryption, web applications, vulnerability management, and database applications. Preliminary findings were communicated directly to MassHealth prior to the report’s issuance.

OIG’s findings

The OIG found MassHealth did not safeguard MMIS data and supporting systems as required by federal requirements. Vulnerabilities were discovered related to security management, configuration management, system software controls, and website and database vulnerability scans. Should exploitation of the vulnerabilities have occurred (and there was no evidence that it had), sensitive information could have been accessed and disclosed and operations of MassHealth could have been disrupted. Sufficient controls must be implemented over MassHealth Medicaid data and information systems.

Specific vulnerabilities uncovered were not detailed in the report because of the sensitive nature of the information. However, specific details were provided to MassHealth so it may address the issues. In response to the report, MassHealth described corrective actions it had taken or planned to take in response to the vulnerabilities.

Kusserow on Compliance: OIG issues resource guide on measuring compliance program effectiveness

On January 17, 2017, the HHS Office of Inspector General (OIG) hosted a group of compliance professionals to discuss ways to measure the effectiveness of compliance programs. It really was a “brainstorming” session with the objective to generate to a large number of ideas for looking at the seven standard elements of a compliance program. The key term to remember is “ideas.” On March 27, 2017, the OIG posted a Resource Guide that included these ideas about compliance programs, not a “checklist” to assess a compliance program. It was generated to provide as many ideas as possible, while being broad enough to assist any type of organization and permit each to choose which ones best suit its needs. Some ideas may not apply to some entities. The Guide provides ideas from which an organization may choose a small number in any given year. The Guide does not follow the OIG compliance guidance documents in detail, except that it addresses the seven standard elements. As such, many items listed cannot be found or tracked. This list provides ideas for measurement options to a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.

Using all the ideas or even a large number of these was deemed impractical and is not recommended. The OIG notes that how the list in the guide can be used depends on those using it. Some of these suggestions might be used frequently and others only occasionally. The frequency of use of any measurement should be based on the organization’s risk areas, size, resources, industry segment, etc. Each organization’s compliance program and effectiveness measurement process will be different. The following compliance program elements were addressed by the participants in work groups over a series of sessions:

  1. Standards, Policies, and Procedures;
  2. Compliance Program Administration;
  3. Screening and Evaluation of Employees, Physicians, Vendors and Other Agents;
  4. Communication, Education, and Training on Compliance Issues;
  5. Monitoring, Auditing, and Internal Reporting Systems;
  6. Discipline for Non‐Compliance; and
  7. Investigations and Remedial Measures.

It is worthwhile remembering that effectiveness is related to “outcome,” not output.   For example, having compliance training for all covered employees is a process outcome metric. How well the participants learned the lessons and retained them is a factor of outcome or effectiveness of the training. When reviewing the lists provided in the Guide, remember most of the items relate to process. Another important factor to consider is how determinations relating to items on the listing will be made, and by whom.

Measuring overall effectiveness 

In its compliance guidance documents, the OIG cites two ways program effectiveness can be measured.

  1. Employee Surveys. In the listing, there were notations throughout that relate to outcome.   In many places, it was suggested to use surveys to learn about employee knowledge, understanding, and attitudes related to compliance issues. In fact, surveys were mentioned 61 times throughout all seven elements. Surveys were also included in the various OIG compliance guidance documents as a means for measuring compliance program effectiveness. There are two types that can be used: a Knowledge Survey that measure employees on their knowledge and understanding of the compliance program, and a Compliance Culture Survey that measures employee attitudes and perceptions concerning organization compliance. Both compliance knowledge and culture surveys were cited as ways to determine how well things were functioning. If a validated and tested survey is used and administered independently that ensures anonymity of respondents, there is great value in the results. The value can be magnified many times if the results can be benchmarked against a large universe of those using the identical survey instrument. Organizations can also benchmark results from one survey to another, showing program improvements. Results from this survey provide powerful evidence of compliance program effectiveness to executive leadership, the board, and even to outside authorities.
  2. Independent Compliance Program Effectiveness Evaluation. OIG compliance guidance documents note that all program managers are responsible for ongoing monitoring of their areas of responsibility.   Alongside of that is ongoing auditing by those independent of the program area to verify that the monitoring is taking place and validate that it is effective in addressing any high-risk areas. Compliance is also a program and the listing in the Guide can be useful for the compliance officer in monitoring compliance. However, the compliance officer cannot independently audit his or her program for effectiveness.   This must be done by an outside, independent, and objective party. As such, a compliance program effectiveness evaluation can look across all seven elements, and most of the ideas in the Guide should be addressed in the results.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Codes of conduct part 2—16 tips for developing or revising codes

The code of conduct should be a statement of guiding principles for an organization with separate policies and procedures to provide more detailed guidance on how to meet them. It should be reviewed annually as part of ongoing monitoring to ensure it is current with applicable laws, regulations, policies, and standards.   Periodically, the code will need to be revised and updated.  The HHS Office of Inspector General (OIG) has provided a number of points it believes should be included in such a document.  It is worth reviewing them as part of either developing or revising the code.  The following are tips, considerations, and suggestions related to code development or revision.

  1. Gain buy-in from the top. All codes need buy-in and support from the top, beginning with Board approval and personal involvement and support of the CEO. They should not only provide input to the process, but ultimately approve the result.
  2. Determine responsibility for code review and revision. Most codes are developed and reviewed under the leadership of the compliance officer and human resources management (HRM) with a cross section of key persons from the various operational areas. The compliance officer, HRM, and legal counsel should actively drive the process.
  3. Code will affect policy development. The code should be analogous to a Constitution that outlines basic principles; policies are like law and regulations that are consistent with the Constitution. The code should have direct contact with and influence over compliance policy development.
  4. Form a committee to assist in development/revision of the code. It is important to gain wide buy-in for the code. It is advisable to form a committee consisting of individuals across various operational areas.   Their views and input will go a long way in selling the code to the entire workforce. The committee can assist in determining format and content of the code and can be used to meet target deadlines for completion.  The committee should include the compliance officer, legal counsel, HRM, Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104+191) privacy/security officers, and representatives from various operations.
  5. Develop a plan. Code development must follow a plan with timeframes for step completion and the respective roles for everyone involved in the process. All those involved in this effort needs to understand how it is going to function and the level of commitment necessary from them. The various development and approval steps, as well as timeframes for them, should be part of the plan.
  6. Consider using experts to facilitate the process. There is no need to reinvent the wheel. Code development or revision can be simplified, facilitated, and guided by compliance experts in this field. They can not only advise, but direct attention to key concepts that need to be included in the code, many of which have been outlined by the HHS OIG. They also have the advantage of avoiding turf issues that sometimes slow code making decisions.
  7. Decide upon size. The code should be a booklet, not a book. If the amount of content grows, employees’ attention to reading and absorbing the content declines. Detailed written guidance on complying with code provisions should be included in policies and procedures. Generally, codes should be about 20 pages or less.
  8. Establishing form and format. The best practice is to have each section in the code begin with an introductory statement of guiding principle, followed by bullet point standards in furtherance of that statement. Bullet points are easier for employees to follow than long narratives.
  9. Determine core content. Among the initial steps on Code development or revision is determining what is needed in terms of specific content. The code should address all stakeholders, including patients, employees, management, regulatory authorities, etc. The code should include a description of the compliance program and how to contact the compliance office via phone and email. It should also address regulatory and legal issues, including conflicts of interest, gifts and gratuities, high-risk areas, and compliance with the fraud statutes, including the Anti-Kickback Statute, Stark Law, etc.
  10. Address reporting of suspected problems. The code should clearly state that everyone has an affirmative duty to report any possible wrongdoing, along with a detailed outline of procedures for handling questions about compliance or ethical issues, and the channels by which they can report potential violations in confidence or anonymously without fear of retribution or retaliation. This includes provisions for how to report to the hotline.
  11. Decide on manner of dissemination. A decision needs to be made as to how the code will be made available to all covered persons, such as being posted on the organization’ s intranet, provided in hard copy with signature receipt, or a combination of both. If the code is not new, but one that has been revised, then steps need to be made to stop dissemination of the old version. The code should be addressed in all employee training sessions. In the case of compliance training, the code should be covered in some detail and copies of the code should be available at those sessions.
  12. Reference to policies and procedures. The code should be a document that sets for principles the way the Constitution does for the country, with policies providing more detailed written guidance, in the same way that laws and regulations do. Therefore, when the code is changed, revised, or updated, it is important to reference all policies to ensure they will be consistent with the code. Having a code and policies that conflict is a formula for migraines.
  13. Reading level. It is critical that the code be written at a level understandable by employees. Failure to do this can result in a document that cannot support adequately the compliance program goals of the organization. Finding the right reading level can be a challenge, as often there is a wide range of education, ranging from professional staff with graduate degrees to those without any degrees at all. The best practice is to try to create a document at the tenth grade reading level. The worst practice is to develop a document in legalese with footnotes to laws and regulations.
  14. Language. Many health care organizations have a significant percentage of their employees for whom English is a secondary language. The question to be determined therefore is whether the code should have versions in another language. If the decision is affirmative, care must be taken that the translation is very accurate, as nothing can create a bigger headache than multiple interpretations between documents in different languages.
  15. Date the document and formally rescind the old version. If a question arises concerning written guidance to employees, it is important to have evidence of what guidance was in place during the period in question.
  16.  Acknowledgement and attestation. There should be a form evidencing receipt of the code by covered persons, along with a form to be signed by the person attesting his or her understanding and compliance with the terms of the code. Such forms should be kept on file by HRM.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.