Governance, Risk & Compliance: GRC
Current State of Healthcare Compliance Webinar: Questions and Answers
CEO of Strategic Management Services
Our recent webinar, Current State of Healthcare Compliance Programs: 2024 Benchmark Survey Results, featured Richard P. Kusserow, CEO of Strategic Management Services. Webinar attendees asked several questions that we were unable to get to. Afterwards, Richard Kusserow answered the questions, and we present his answers here. Additionally, the webinar is available to watch on-demand.
1. What does the Survey indicate are some of the continuing Compliance Program issues from COVID-19?
Several challenges were cited in the webinar and survey report. They included evidence of disruption of the work force that included many quitting their job. And among those remaining, the great majority of compliance employees were working remotely to one degree or another, with many resistant to return to the worksite. Also, during the pandemic, Compliance Officers retired at twice the rate of previous years, creating gaps that take a long time to fill.
The 2024 Survey indicates many more Compliance Officers are planning to retire in the next few years. This has resulted in increased time and effort to replace those leaving and needing remote staff. In many cases, Compliance Officers have turned to using consultants under part-time contracts to fill staffing gaps. Another area affected by all of this has been investigations. Even when staff is onsite, the parties that need to be interviewed may not be present which could compromise effectiveness.
2. Can you provide more details as to why the Compliance Officer reporting through Legal Counsel is viewed negatively by the OIG and DOJ?
That is a matter you need to decide; however, such a practice goes against what both the DOJ and OIG have made clear in their guidance documents. In short, they believe attorney are legal advocates defending the organization, who may try to conceal disclosable issues under attorney-client privilege.
However, they see the Compliance Officer as an independent gatherer of information who would more likely disclose problems when identified. Under such circumstances, the job of a Compliance Officer would likely be more difficult when subordinate to the Legal Counsel. There is also the question of potential conflict of interest in having that same party responsible for both the Legal and Compliance Programs. For more on this topic, read: https://www.compliance.com/resources/compliance-officer-should-be-independent-of-legal-counsel-2/.
3. How often should there be an independent compliance program evaluation?
When you look closely at all the guidance offered by various authorities, you most often see the term “periodic” used. The only time you see a call for annual independent reviews is as a condition in an OIG Corporate Integrity Agreement. Compliance ongoing monitoring is every program manager’s responsibility; and this includes the Compliance Program. As such, the Compliance Officer should annually assess the progress of the program. However, engaging outside experts to conduct full-fledged independent compliance program effectiveness evaluations can be done about every three years. If other independent evidence of the program is desired, consider in off years, having independent evaluations and administering compliance knowledge or culture surveys.
As a side note, it is advisable to have such an independent evaluation anytime an organization engages a new Compliance Officer from outside the organization. That person would benefit greatly from having a report on the results of such an evaluation. It would tell them what they have inherited and how to draft a work plan to address any weakness or opportunities for improvement in the program. Quite frankly, I would make it a condition of engagement to have such a review. For more information on this question, see https://www.compliance.com/resources/2024-compliance-program-independent-assessments/.
4. Lets say someone served as Compliance Officer and Privacy Officer for an organization and reported directly to the General Counsel with no direct reporting to the CEO or the Board. Why might this be a problem and what happens if concerns are ignored?
First, there is no legal or regulatory requirement for the Compliance Officer to avoid reporting directly through the Legal Counsel. However, all regulatory guidance—including the U.S. Sentencing Commission, DOJ, and OIGs—call for reporting directly to the CEO. They see the function as one of independence of other operating officials. As part of Corporate Integrity Agreements, the OIG mandates no reporting or subordination of the Compliance Office to Legal Counsel. Therefore, the burden would be on the organization to convince enforcement authorities investigating potential violations of the law or a regulation that having the Legal Counsel responsible for compliance was the best method they had in preventing wrongful behavior and promoting an effective Compliance Program.
This would be a tough sell under those circumstances. The DOJ and OIG see the critical role of the Legal Counsel as legal advisor, advocate, and protector of management, whereas the Compliance Officer is viewed as a function that looks out for the interest of all those in the workplace, not just management. Therefore, they see a potential conflict of interest in having both legal and compliance authority under one roof. They also believe the Compliance Officer should have independent authority to disclose to appropriate authorities any overpayments and potential wrongdoing.
All any Compliance Officer can do under the circumstances described in this question is to inform leadership and the board of the potential problem with the hope they will see the merits of the arguments and act accordingly. If they do not, depending on how difficult the situation is, this may leave the choice of living with the arrangement or leaving the organization. For more on this topic, read: https://www.compliance.com/resources/compliance-officer-should-be-independent-of-legal-counsel-2/.
5. What are the potential benefits of engaging a compliance expert to act as Interim or Designated Compliance Officer?
The following are some potential benefits for engaging an expert contractor to act as Compliance Officer, either as the Interim or Designated Compliance Officer:
- No delay, able to start immediately
- No recruitment or training costs like for a W-2 employee
- Work can be done part-time, or only as much time is needed to do the work
- Pay is only for hours worked
- No added overhead costs (e.g., FICA, leave, benefits, etc.)
- No learning curve on the ever-changing regulatory environment
- Have prior experience in adapting compliance programs to smaller organizations
- Possess expertise that may not be available in-house
- Able to provide independent assessment on the status of the Compliance Program
- Can be terminated at any time by simple notice
- Have their own multi-million dollars liability insurance coverage
For more information on this question, read https://www.compliance.com/services/interim-outsourced-compliance-staffing/.
6. Why is conducting evaluations internally a problem?
It is not a problem. In fact, it is expected. Compliance Officers, like all program managers, should be engaged in compliance ongoing monitoring of their areas of responsibilities. Using internal checklists, tools, and compliance surveys as part of this effort can assist managing and advancing the Program. However, they are not equivalent to an independent evaluation. Program Effectiveness Evaluations are reviews, assessments, or audits that by definition must be conducted by parties independent of the program to be credible to outside authorities. Internally generated reports are generally viewed as biased and self-serving.
7. Since the survey found it takes a long time to hire new staff and with so many working remotely, is it reasonable for Compliance Officers to contract with consultants to fill gaps?
Every organization must determine whether this option makes sense for them. However, it is increasingly common for organizations to engage compliance consultants to serve as Interim Compliance Officers until a permanent replacement is hired. Or for the Compliance Officers to seek assistance with addressing short-term staffing gaps. Most of these engagements are part-time. The advantages are gaining immediately qualified assistance without the overhead cost for a W-2 employee (e.g., recruiting, training, FICA, benefits, leave, etc.), paying only for hours worked, and being able to terminate without cause when the services are no longer needed.
8. If employee compliance surveys are considered useful, why are internally developed and implemented ones thought to lack credibility to outside authorities?
First, there is nothing wrong with conducting internally developed and implemented surveys. They can be a useful tool as part of ongoing monitoring and are often deployed by HR. However, using results of surveys to evidence effectiveness of compliance programs is another issue. The reasons results may lack credibility to outside authorities include:
- Most internally developed surveys are not professionally developed or validated
- Many employees suspect the motive behind such surveys leading to skewed results
- Many are concerned that questions may be tricks to make the organization look better
- There is fear responses will not be anonymous
- Internally generated surveys cannot be benchmarked against other organizations
As a side note, the cost in time and effort for developing internally a survey is more likely than using a professionally developed, validated, and administered survey. For more information, read: https://www.compliance.com/resources/benefits-of-using-professionally-developed-and-implemented-surveys-for-evidencing-compliance-program-effectiveness/.
9. What are the biggest takeaways from the DOJ Guideline questions regarding evidencing effective Compliance Programs?
It is difficult to produce evidence of Compliance Program effectiveness if you rely solely upon internally generated information. DOJ will likely not be receptive to internally generated evidence of compliance program effectiveness. After all, the DOJ would only be asking questions of organizations where they have found the organization involved in violating federal laws or regulations. It is reasonable they would suspect any unsubstantiated information provided by the organization.
10. The Survey found “Responding to New Law and Regulations” as the biggest risk concern. Why do you think this is?
The regulatory and enforcement environment is in constant change with new laws and regulations by federal and state authorities being added regularly. It creates an added burden to keep abreast of it, especially if you are in New York or California. Being able to do this is apparently becoming a challenge for Compliance Officers already burdened with managing the many aspects of the Compliance Program.
11. Why is it not a good idea to have someone internally assume temporary responsibility for the management of the compliance program?
In the ever-changing regulatory and compliance environment, no provider can afford to have long-term gaps in coverage of compliance leadership. The survey found replacing a Compliance Officer can take six months or longer. This is too long to have the program lack firm leadership. Rapid degeneration of the program may occur in the absence of a competent person responsible for day-to-day compliance program management. Filling a gap by designating someone internally is not always a good option, as that individual may likely lack experience and expertise and cannot be expected to recognize and address problems in a timely and professional manner.
Also, using a member of the Compliance Office staff is unfair and risky. The fact that an organization has decided no one internally is qualified and then having someone assume that role for many months creates lot of problems, including the fact that individual could well resent having the burden of doing a job that the organization has said they are not qualified to do.
12. What are some ideas for addressing staff shortages?
The following are some suggestions to consider in addressing staff shortages:
- Analyze current, most important, and urgent tasks/projects against available resources
- Rethink priorities and timeframes on scheduled projects and tasks
- Determine if staff experience and capabilities exist that can be used in other capacities
- Develop a plan of action to prepare and organize your team for the workload ahead
- Assist staff in developing skills for different roles/duties (training, webinars, conferences)
- Consider engaging a consultant to address tasks/projects current staff cannot manage
- Decide if any function can be outsourced (e.g., hotline, sanction screening, training programs, assessments, internal auditing, etc.)
- Consider engaging interns to help with task work
- Discuss with staff about meeting challenges
- Focus on strategies to boost morale and prevent departure
13. Can engaging temporary Compliance Officers while seeking a full-time replacement be cost-effective?
A compliance expert engaged as Interim Compliance Officer (ICO) can offer advantages and be cost effective, depending on the terms of the agreement. Begin with an analysis of the cost of supporting the full-time Compliance Officer position, including salary, as well as overhead costs (FICA, leave, health, insurance, retirement, and other benefits). Keep in mind, a contractor is not an employee and so these overhead expenditures would be included only in their fee schedule.
Also, an expert might be able to hold the program together on a less than full time basis. In making an assessment for this option, consider the benefits of an ICO, such as (a) easily engaged and terminated, (b) as experts they won’t need training on the duties, (c) can maintain the continuity of the program while seeking a full-time replacement, (d) be immediately available to address new and emerging compliance issues, (e) use prior experience to tackle any work backlogs left by a departing Compliance Officer, (f) assist assessing potential candidate qualifications for the permanent position, and (g) provide “fresh eyes” to objectively evaluate the program’s status.
The latter point is very important in that the engagement could be structured to include in the duties providing a report on an independent assessment of the program. This would not only provide useful unbiased information for leadership and the board, but also can be a road map that the new Compliance Officer can follow for hitting the ground running.
14. Should Internal Audit be part of (or report up to) the Compliance Officer/Department or be a part of (or report up to) the Finance Department?
Having Internal Audit reporting directly to the CFO or Finance Department is not considered a best practice, as it can create a conflict of interest problem, especially when a review involves questions about the operation of financial functions. Best practice for reporting can be one of two tracks. The Institute of Internal Auditors notes that a separate Internal Audit function, in order to achieve necessary independence, should report directly to the Board Level Audit Committee. Alternatively, many organizations have had the Internal Audit function subsumed under the Compliance Officer that reported directly to the CEO and Board, which also gives it the necessary independence.
15. Can you talk more about training and communications? What should we be doing beyond orientation and annual training?
The OIG General Compliance Program Guidance offers many suggestions that would answer this question. They note the Compliance Officer should develop an annual training plan for all covered persons that includes such topics as (a) identity and role of the compliance officer and Compliance Committees, (b) importance of open communication with the compliance officer, (c) various ways individuals can raise compliance questions and concerns with the compliance officer, (d) nonretaliation for disclosing or raising compliance concerns (e.g., hotline), and (e) means through which the entity enforces its written policies and procedures equitably and impartially. This training is expected to take about one to two hours.
They also call for targeted training of about six hours for individuals engaged in compliance high risk areas that address any compliance risks specific to their roles and responsibilities. This training should address applicable health care program rules applicable to the entity’s business. Depending on the learners’ roles, these may include, for example, billing, coding, documentation, medical necessity, beneficiary inducements, gifts, interactions with physicians and other sources or recipients of referrals of Federal health care program business, and sales and marketing practices. The education and training program also should include a requirement that licensed personnel must complete all education and training mandated by the licensing board that governs their license.
16. Should investigation interviews be conducted under oath?
As a general rule, compliance investigations should not include placing someone under oath. Internal compliance investigations are administrative in nature, not done under lawful authority of a duly authorized enforcement agency. Law enforcement agencies have the legal authority to take legal action for false statements made in connection with an investigation. If someone provides false and misleading information, administrative, not legal action is involved. The larger response to this question is that those conducting internal investigations should not try to take on the role of a law enforcement officer.
17. How do you handle screening an individual (Sanction screenings) without SSN or DOB?
To definitively identify someone on a sanction listing, have a unique identifier, such as an SSN, Tax ID, License, National Provider Number, etc. Name matches, date of birth, professional specialty, etc. are not unique identifiers, as more than one person may have the same information.
18. What is the typical size of health care entities that have a mature compliance program, type, number of employees, market cap or revenues?
It is not a question of size. Maturity depends on a variety of factors, including (a) structure of the program, (b) services being provided, (c) size and location of operations, (d) characteristics of the workforce, (e) locations where services are provided. Within that context, determining the maturity level of the compliance program involved having controls in place that support compliance with all applicable legal obligations, business requirements and industry best practices, evidence that they are accessible for all covered persons functioning properly for policies and procedures, and evidence of being followed.
19. Where can I find answers to general compliance program questions?
You might find what you seek concerning healthcare compliance at Frequency Asked Questions (https://www.compliance.com/faqs/)
