Building Blocks for Effective Compliance Programs: Questions and Answers

Our recent webinar, Building Blocks for Effective Compliance Programs, featured Richard P. Kusserow, CEO of Strategic Management Services and former Inspector General of the Department of Health and Human Services. Webinar attendees asked several questions that we were unable to get to. Afterwards, Richard Kusserow answered the questions, and we present his answers here. You can watch the webinar on-demand.

1. If we add all the building blocks, will it mean we have an effective compliance program?

It will lay foundation for it, but it is how they are put in play and operation that will determine the outcome and effectiveness of the program.

2. It has been suggested to have a webinar on Compliance Officer’s development of executive traits and skills. Why would this be a good idea?

I believe this request arises from the fact that the DOJ and OIG call for the Compliance Officer to be a senior executive reporting to the CEO. Although this may be established in form, the question is whether the Compliance Officer will be accepted in fact in that role. The webinar suggested would be in the form of a tutorial for preparing to meet this challenge. It would have to provide simple practical and logical actions and steps that an individual would have to master and evidence with interaction with the C-Suite leadership.

3. What is the most credible evidence for effective compliance programs?

The most credible evidence is that presented by experts and processes independent of the organization, such as Independent Evaluations by Experts and Independently administered Compliance Surveys. Both the OIG and DOJ stated they place great value in evidence of employee compliance knowledge, attitudes and perceptions. The OIG/HCCA Compliance Roundtable on Compliance Program Effectiveness cited surveys over 60 times in all seven compliance program elements.

4. Why would not the building blocks alone provide credible evidence of an effective compliance program?

Adding Building Blocks is a process measurable in outputs, not outcome. They lay the foundation for the program, but it is in the implementation that effectiveness can be evidenced. Adding building blocks and checking them off demonstrates you know what needs to be done and failing to translate this into action, could be viewed as being grossly negligent, which can be worse than no building blocks.

5. Regarding Policies and Procedures: Do you recommend adding Proprietary, Confidential, or a similar descriptor to the footer of the policy or procedure? I observed one company that labeled all policies Proprietary AND Confidential, which doesn’t seem appropriate.

The observation is right. It is fine to label a policy as proprietary, but not appropriate to have a policy document labeled confidential. The OIG and DOJ expect easy access to these documents by anyone to whom it applies, whether it be an employee, medical professional, vendor or contractor. It is a best practice to display these policies for all to see.

6. Are there updated OIG policies for 3rd party billing? Most recent OIG policy I found was 1998, wanted to ensure I have the most up to date by the OIG.

Though often discussed by the OIG and cited by the DOJ, there is not a lot of detailed relationship policy guidance available. Much of the 3rd Party compliance is found in policies related to the Stark Law, Anti-Kickback Statute, as well as policies related to gifts, business courtesies, etc.

7. If an organization is not large and there is no feasible way to have a separate Compliance Officer, would it be reasonable for Human Resources incorporate that responsibility?

The problem for smaller organizations is real, however using HR for compliance has been found on many occasions to be a big mistake. There are a host of reasons for this, beginning with that the roles are entirely different although they overlap. HR is responsible for a host of rules, regulations, and responsibilities. Adding the compliance program of equal complexity on top, cannot be expected to result in any success.

Often, compliance issues arise from HR failure. In those circumstances, how could HR investigate HR? The OIG recognized the problem and has specifically noted in their Compliance Program Guidance documents that smaller organizations can outsource their Compliance Officer function on a parttime basis to an outsider expert. From my experience that is a better track to consider. There is much written on this that is easily accessible thought the internet they may be worth reviewing.

8. Are there any sources you recommend for what items should be in a CEO letter of commitment to the culture of compliance?

The CEO Cover Letter just speaking about supporting a culture of compliance is of limited value without adding specific comments. Among the point in the letter, it is recommended the CEO endorse the Code and provide a commitment that the entire leadership team is committed following the stated principles. I suggest also including a statement that not only much everyone abide by the Code but have an affirmative duty to report any violations of the Code, laws, regulations, or policies to any member of management, the Compliance Officer or to the hotline (citing the number). Added to that should be assurance that anyone making reports in good faith would be protected against any retaliation or reprisals. Following this it is advisable to note that confidentiality would be protected, and the option is open to reporting anonymously. All these points taken together provides evidence of a commitment to a culture of compliance.

9. What are some examples of Compliance Incentives?

This is a good question. Although specifically referred to by both the DOJ and OIG, there is little by way of describing exactly how this would work. However, implied by both, is that employee evaluations should include compliance as an element. As such, gaining points in the evaluation for supporting the compliance program would be an incentive. Some organizations have provided awards for employees reporting problems or making suggestions on how to improve the organization’s compliance program. What is also stated by the DOJ especially, but also by the OIG, is that disincentives for compliance would be considered a serious issue. This includes the case where executive or managers that permitted a compliance problem to occur were not held fully accountable for any negligence or mismanagement on their part.

10. The OIG has multiple guidance documents, if part of an organization, do you need distinct/separate compliance programs for each of the applicable sections such as Clinical lab? Or should it be a comprehensive/cohesive organizational program which is applicable for all?
  • This is an issue frequently encountered by Strategic Management when conducting Compliance Program Effectiveness Evaluations and finding the right way to address this problem is something that garners a lot of attention. However, for purposes of trying to answer all questions raised in the webinar, I believe the short answer is better to have a single program modified to take into consideration different lines of business and locations. However, there may be cases where this rule might be modified. To address this fully would take more than is permissible with this process, however the following provide some thought on the subject.
  • Many health care providers have a wide variety of services. For example, a hospital system may provide a great variety of ancillary services. Also, compliance programs are often organized differently. Most have HIPAA Privacy under the Compliance Program, while others do not. For those with research programs there may be a separate Research Compliance Program or have it under the Corporate Compliance Program.
  • So, to answer the question, let’s begin with the fact that both DOJ and OIG recognize there may be complexities within organizations and therefore stress their guidance is general and that every organization must develop a compliance program that is consistent with the business culture. If they were to evaluate the Compliance Program, they would focus on whether the model established was working the way it should.
  • It would be considered a best practice to have a single umbrella Compliance Program under a single Chief Compliance Officer. This program would have the guidance principles in the Code to apply to all lines of business. It would have a unified and standardized sanction screening process, single hotline for reporting problems and concerns, etc. Also, many policies could be universal to all lines of business. Now, for the differences: You would likely need compliance related policies that were applicable only to the business line (e.g., Clinical Lab) as they will be operating under different sets of rules. Also, a best practice when lines of business locations are remote, it to have Compliance Liaisons at those facilities who would work with the Chief Compliance Officer.

For more information on this subject, contact Richard Kusserow, CEO of Strategic Management Solutions, at [email protected]


Read the 2022 Healthcare Compliance Benchmark Report.

Learn more

Healthcare GRC
See how our compliance solutions help healthcare organizations.

Keep Reading