CEO of Strategic Management Services
Our recent webinar, Current State of Healthcare Compliance Programs: 2023 Benchmark Survey Results, featured Richard P. Kusserow, CEO of Strategic Management Services. Webinar attendees asked several questions that we were unable to get to. Afterwards, Richard Kusserow answered the questions, and we present his answers here. Additionally, the webinar is available to watch on-demand.
1. How big a problem is it for the 17 percent who reported the Compliance Officer reports to Legal Counsel?
That is a matter you need to decide; however, such a practice goes against what both the DOJ and OIG have made clear. They believe attorneys are legal advocates defending the organization, who may try to conceal disclosable issues under attorney-client privilege, whereas they see the Compliance Officer as an independent gatherer of information who would more likely disclose problems when identified. Under such circumstances, the job of Compliance Officer would likely be more difficult when subordinate to the Legal Counsel.
2. The survey results show many organizations have recently or plan to have an independent evaluation of their compliance program. How often should this occur?
When you look closely at all the guidance offered by various authorities you most often see the term “periodic” used. The only time you see a call for annual independent reviews is as a condition in an OIG Corporate Integrity Agreement. I do not believe having them done annually is worthwhile if there is active ongoing monitoring by the Compliance Office. Ongoing monitoring is a program manager’s responsibility and Compliance is a program. I advise our clients to consider having a full-fledged independent compliance program effectiveness review about every three years; and if they want something in between to use an independent, evaluated and administered compliance knowledge or culture survey.
As a side note, it is advisable to have such an evaluation anytime an organization engages a new Compliance Officer from outside the organization. That person would benefit greatly from having a report on the results of such an evaluation. It would tell them what they have inherited and how to draft a work plan to address any weaknesses or opportunities for improvement in the program. Quite frankly, I would make it a condition of engagement to have such a review.
3. What are some of the biggest challenges for Compliance Officers as a result of the changes brought on by the COVID-19 pandemic?
Several of the challenges were cited in the webinar and survey report. One area on which there was little focus was the problem of conducting investigation of hotline complaints and allegations. With so many working remotely, this has created serious issues that could compromise effectiveness, beginning with compliance staff conducting interviews and handling (and storing) confidential information when they are remote.
Then, there is the issue of interviewing individuals who are remote. The best way to do this is via video contacts, but there are security and operational issues to consider, such as avoiding using any public Wifi, guarding against unauthorized recording, conducting the interview free of distractions (children, TV, animals, and other people), and ensuring that others are not seeing or hearing the session, etc.
4. What was the biggest deficiency found in survey responses?
Most respondents believe erroneously that using internal checklists, tools, and compliance surveys is equivalent to an independent evaluation of the Compliance Program effectiveness. These are means for ongoing monitoring of the program, but effectiveness evaluations are ongoing auditing done by parties independent of the program.
5. Do you ever see benchmarking information on compliance incidents reported per 100 employees or other similar information?
Yes, there is data on overall averages. The overall average call volume is one call per thousand employees per month and one to two percent of the number of employees per year. However, call volume varies according to size of organization, healthcare sector of the organization, length in operation of the hotline, and compliance program, etc.
6. Is there any OIG citation regarding recommending external Compliance Program effectiveness evaluations?
Yes, begin with the Compliance guidance for hospitals. There also have been comments about this in the recently released DOJ Guidelines for Evaluating Compliance Programs
7. Can you explain more fully why internally developed and implemented compliance surveys are not viewed as being credible?
- There is a genuine issue of employee suspicion of motive behind such surveys
- Many are concerned questions may be tricks to make the organization look better
- There is fear their responses will not be anonymous
- The overall result is that results tend to be skewed
- Most internally developed surveys are not professionally validated
- Internally generated surveys can’t be benchmarked against healthcare organizations
- Results lack credibility to outside parties
- Cost in time and effort for developing internally a survey is more than using a professionally developed, validated, and administered survey
8. The survey found “responding to new law and regulations” as biggest risk concern. Why do you think this is the case?
The regulatory and enforcement environment is in constant change and is being added to over 200,000 pages of federal laws and regulations already in place. There is the added burden of rapidly developing state laws and regulations. If you are in New York or California, it is a daunting task to keep abreast of changes.
9. I am new to this field, and our Compliance Officer oversees operations, which includes IT management. Could you repeat or elaborate how/why that could be a concern?
In general, Compliance Officers should be responsible for the operation and management for only the Compliance Program. Compliance Officers cannot be independent in oversight of operations for which they are responsible, nor can they be experts in other programs. The role of the Compliance Officer should include ensuring all program managers are engaged in ongoing compliance monitoring of their operational areas of responsibility. As a side note, IT is a highly specialized program area and should have its own responsible party who is knowledgeable and an expert in that area.
10. Do you need to check monthly only against the OIG’s LEIE?
As far as the OIG is concerned, periodic screening against the LEIE is all that is necessary. They do not spell out how frequent that should be. They also don’t have interest in GSA debarment information. However, the Centers for Medicare & Medicaid Services (CMS) calls for monthly screening against both the LEIE and GSA debarment listings, as well as State Medicaid sanction data. Screening DEA, FDA, OFAC, death matches, and other databases is optional.
11. What are the biggest takeaways from the DOJ Guideline questions?
It is difficult to produce evidence of compliance program effectiveness if you rely solely upon internally generated information. DOJ will likely not be receptive to internally generated evidence of compliance program effectiveness.
12. With it taking so long to hire new staff and with so many working remotely, is it reasonable for Compliance Officers to contract with consultants to fill gaps rather than hire new W-2 employees?
Every Compliance Officer must determine whether this is an option that makes sense for them. However, for the reasons stated it is increasingly common for Compliance Officers to engage compliance consultants (most often on a part-time basis) to fill gaps. The advantages are gaining immediately qualified assistance without the cost of overhead for a W-2 employee (e.g., recruiting, training, FICA, benefit, leave, etc.), paying only for hours worked, and being able to terminate without cause when the services are no longer needed.