Kusserow on Compliance: Addressing the risk of whistleblowers

The DOJ recently reported the fact that 93 percent of its successful civil false claims court actions arose by qui tam relators (whistleblowers) bringing the case to the DOJ’s attention. As such, it is important to understand better how to address the risk of having that happen to your organization. Key factors to be considered are the motivation of most whistleblowers and how to channel them to report internally, rather than going to outside authorities.

Tom Herrmann, JD, while at the OIG, was responsible for coordinating whistleblower cases with the DOJ.  He noted that the common practice for the DOJ, upon receiving a complaint from a qui tam relator, is to have the OIG conduct the preliminary investigation on their behalf. Inasmuch as these False Claims Act (FCA) cases were civil in nature, it was not the usual course to involve the FBI.  As such, he had the opportunity to review the initial complaints and often times meet or discuss with the relator about what caused them to report the problem. He found that there were many reasons given by individuals for becoming qui tam relators. e HhOnly a few qui tam relators indicated their motivation was for the potential reward coming from the case. The most common statement was that because they were unable to obtain a credible, internal reporting channel, they decided to report externally. Credence was given to this as a major motivating factor by the fact that in many cases they did find evidence of many Whistleblowers having reported the problem internally first, and moved to report externally when inadequate attention was give to their complaints. There were also whistleblowers who stated they were motivated by ethical considerations and felt they could not justify allowing a bad situation to continue without taking some sort of action.

Steve Forman, CPA, has over 30 years experience with the OIG, as a compliance officer, health care consultant. He found many situations where an employee’s reporting a potential violation of law, regulation, or organization Code or policy was the subject of adverse action or reprisal.  In some cases, the whistleblower moved to a legal course of action to protect themselves.  Unfortunately, it is not uncommon to find members of management engaging in retaliatory actions against employees trying to expose wrongdoing. In some cases, these same people turned to attorneys who led them to become qui tam relators. A key factor in managing the risk of having a whistleblower is to understand what motivates them to go externally with and report a problem; and try to channel them to resolve the issue internally.  It is also important to remember that making the decision to report a problem to the compliance officer is viewed as taking considerable risk with regards to their job, reputation with their fellow employees, and their future financial security.  Reassurance of protection against retaliation is critical. However, for some, that may be not enough.  This means the option to report anonymously is also important.

Carrie Kusserow has overseen many IRO and Compliance Expert engagements with clients who signed Corporate Integrity Agreements with the OIG. She noted that in several cases, while carrying out the duties of the engagement, her consultants identified the original whistleblower and found in several cases they had tried to raise the issues internally, before deciding to go outside the organization and become a qui tam relator. In other cases, the whistleblower reported not trusting the hotline or compliance office to protect them against retaliation. The lesson to be learned about avoiding external whistleblowing is to ensure that internal compliance channels operate credibly and properly. This also means taking prompt action to follow on any complaints or allegations of wrongdoing. It also means that strong policies and procedures to protect individuals reporting potential wrongdoing must be implemented and followed. This includes permitting employees to be able to report anonymously or if they do identify themselves that they will be detected in their confidentiality law.

Tips for Compliance Officers

  1. Ensure reporting suspected wrongdoing is stressed in the code, policies and training
  2. Review and update hotline-related polices/procedures (confidentiality, anonymity, non-retaliation, duty to report, etc.)
  3. Ensure a 24/7 hotline operated externally, as internal ones are less trusted and unavailable at all times
  4. Look to expand and increase compliance communication channels beyond just the hotline
  5. Promote the reporting of wrongdoing (newsletter, intranet, training programs, etc.)
  6. Find ways to provide feedback so that employees know reporting is taken seriously
  7. Consider engaging experts to evaluate compliance communication channels effectiveness
  8. Allegations of potential violations of law or regulations must be promptly investigated
  9. Ensure that individuals are trained and competent to conduct prompt investigations
  10. Disclose promptly all cases where investigation indicates potential violations
  11. Review and update investigation and resolution of allegations polices/procedures
  12. Take appropriate disciplinary action against identified wrongdoers
  13. Consider having on call experts in conducting investigations to assist if needed
  14. Understand CMS and OIG self disclosure protocols that may avoid FCA investigation
  15. Ensue investigations finding of potential violations of law are promptly disclosed to the DOJ


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Effective hotline programs

All healthcare organizations need confidential compliance communication channels. First and foremost among them is a hotline. By definition, all effective compliance programs should have a hotline. It is an important avenue of communication between employees and management, in that it permits employees to report sensitive matters outside the normal supervisory channels.  The reality is that developing and monitoring a hotline is a critical part of any effective compliance program. It provides an avenue of communication that permits employees to report sensitive matters outside the normal supervisory channels. The compliance officer bears the responsibility of constantly reviewing and improving the effectiveness of the hotline operation.  The US Sentencing Commission, the HHS Office of Inspector General (OIG), and Department of Justice (DOJ) all call for having a hotline, as well as other authorities, including the Sarbanes-Oxley Act for publicly traded companies and the federal courts in connection with unlawful harassment. Failure to establish positive internal compliance reporting channels often results in reporting externally to the OIG and DOJ from “whistleblowers.” The challenge is establishing effective internal compliance communication. Today, it is the exception to find organizations trying to manage a hotline function internally. The fact is that any advantage of internally operated hotlines is more than off-set by the disadvantages.

From a practical standpoint, it simply is not cost effective to operate a hotline 24/7 internally.  Even those that decide to operate and manage the function in house are confronted with a number of challenges—it is extremely inefficient, costly and seldom meets any minimum standards. Hotline numbers will need to be “backstopped” against tracing and all caller identification systems have to be blocked. People answering the calls in house should not be highly visible to the work force. Confidence comes from neither party being known to the other. Hotline vendors have the training and experience to handle complainants. Callers are generally nervous and afraid and knowing they are providing information to an outside party generally is reassuring. They always raise the question of whether anonymity is truly offered and whether employees will ever sufficiently trust calling an employee. It has become the standard practice for organizations to outsource their hotline to a vendor.  However, evaluating those providing the best service at the right price is a challenge. The following are questions that can be used to determine a properly qualified vendor. Those failing key tests should be avoided as they may prove to be a future liability.


Questions for hotline vendors

  1. Cost of Service. Does the vendor charge an established fixed rate or sliding rate based upon number of calls? Seek a fixed, not a variable rate, based upon number or time of calls. A good rule of thumb is that the cost of a hotline service should not exceed $1-3 per employee per year.


  1. Industry Focus. Can the vendor evidence having understanding and expertise of issues related to the health care industry? Failing to understand healthcare standards and regulatory matters limits the ability to properly debrief callers. Ask for a breakdown of the types of clients they serve by industries.


  1. Hours of Service. Does the vendor provide 24/7 service? If not, don’t use them.


  1. Call Centers. Does the vendor provide call services? If so, avoid them completely. Call centers provide outbound calls used to promote services and products. Others answer after hour services for businesses (doctors, plumbers, electricians, etc.) and relate messages to their clients. The people doing this are performing a clerical function and answering hotline calls requires more professional expertise. Furthermore, there is the risk of having calls interrupted by a call for some needing emergency service.


  1. Hotline Service Types. Does the vendor provide multiple levels of service for (a) receiving live operator calls and (b) a web-based reporting system that prompts individual complainants? One level alone is not enough.


  1. Avoiding Vendor Contract Traps. Does the contract permit cancellation at any time with a simple 30 day notice? If not, don’t use them. Staying with a vendor should be because of good service, not because of being locked into them by contract terms. If you have a current contract, check the termination clauses to see if cancelling a contract is cumbersome. If it is, ask to renegotiate the termination clause. If they decline, then take steps to follow termination procedures in the contract.


  1. Hotline Number. Does the vendor want to use their phone number? This is a common vendor trap to lock in users to their service. You advertise their number everywhere and to change would necessitate changing all the places you have advertise the number. Always use and own your own hotline number that can be pointed to a vendor.


  1. Language Translation. Does the vendor provide a language translation service to address non-English speakers?


  1. Check Vendor Background. What is the level of hotline experience among the ownership, management, and operation of the service?


  1. Length of Hotline Experience. How many years of experience can the vendor evidence in the management of hotline operations?


  1. Policies, Procedures, and Protocols. Does the vendor provide advice on developing operating protocols for following up an allegations and complaints received through the hotline?


  1. Business Associate Agreement (BAA). Does the vendor offer to sign a BAA to meet HIPAA protected health information (PHI) requirements for any patient related information received through the hotline? If they don’t know what that means, forget them.


  1. Timelines. Will the vendor agree to provide a full written report within one business day of receipt of the call and for urgent matters, immediate notification?


  1. Report Delivery Security. Does the vendor deliver call reports by the most secure means? It is critical to establish a secure call report submission process to a specific responsible party and to an alternate should the primary contact be unavailable? Any delivery of reports via fax or email lack necessary security. It is critical that reports are secured to protect those filing the report, as well as those who are subject of the report or mentioned in them. HIPAA PHI, proprietary and confidential data, and personnel information must be protected. Web-based reporting is the most secure with notification of a report being provided via email.


  1. Routine vs. Urgent Reporting. Does the vendor assist in establishing a process that alerts the primary contact to any urgent report received? A delay in reporting a serious issue could result in potential liabilities.


  1. Insurance. Does the vendor provide at least one to three million dollars liability coverage? If your vendor does not have this insurance, consider changing over to one that provides this assurance.


  1. Caller Contact Information. Does the vendor have procedures for providing callers with a means to call back without disclosing their identity?


  1. Personalized Service. Does the vendor provide the identity or identities of individuals available to respond to any issues or question that may arise, whether it relates to call reports, invoice issues, or providing general advice? Not having easy access to someone or having to go through a phone system moving you from one office to another before you find a stranger who may or may not be able to answer your questions can be frustrating. If possible, seek an identified accounts manager who will be responsible for any and all issues that arise under the contract.


  1. Training and Assistance. Does the vendor provide guidance on the best way to promote understanding of the hotline?


  1. Other Useful Benefits. Are there any other services or benefit provided under the contract? This would include such things as supporting policy and procedures for hotline management, poster templates, newsletters, etc. For smaller organizations, these benefits may exceed even the service fees paid to the vendor. Find out what they offer.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

How should compliance officials deal with whistleblowers?

Effective compliance programs give employees an anonymous way to report potential violations, and consistently follow up on all tips received. In a webinar titled “Do You Know What To Do When the Whistle Blows?” and presented by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA), Michael Moore, a former U.S. Attorney for the Middle District of Georgia currently with Pope McGlamry, explained best practices for investigating whistleblower complaints.

The False Claims Act (FCA) (31 U.S.C. §3729) allows a whistleblower with knowledge of fraudulent claims submitted to the federal government for payment to file a qui tam action on behalf of the United States and share in any recovery as relator. The most common types of health care fraud include lack of medical necessity, billing for services not rendered, and violations of the Anti-Kickback Statute (42 U.S.C. §1320a-7b) or Stark law (42 U.S.C. §1395nn). Life sciences fraud can also include kickbacks, off-label marketing, and failing to disclose adverse events to the FDA. Moore noted that, although relators get a larger share of recoveries when the government does not intervene in the suit—25 to 30 percent, versus 15 to 25 percent when the government does intervene—recoveries overall are generally much larger when the government intervenes, giving the relator a larger award.

When an aggrieved employee comes forward as a potential whistleblower, the compliance department’s response can make a difference for the organization. Often, Moore said, the employee wants to be heard, have his or her concerns recognized, and believe that something will be done about the problems he or she identified. Routine compliance training, a non-retaliation policy, and implemented written standards and procedures are all hallmarks of effective compliance programs. Practically speaking, compliance departments should do the following when confronted by a complaint:

  • evaluate the credibility of the allegation;
  • appoint an independent, objective “designated person” to respond to the investigation;
  • avoid taking retaliatory action against the potential whistleblower;
  • determine the timeline and scope for the investigation—the involvement of the government is an important component for this determination; and
  • consider self-disclosure, if the investigation discovers conduct that may give rise to FCA liability.