Evidencing Compliance Program Effectiveness Webinar: Questions and Answers

As promised in the Evidencing Compliance Program Effectiveness Webinar, our presenter Richard Kusserow, CEO of Strategic Management Services, has reviewed all the questions provided by participants and prepared written answers.

How important is it to evidence compliance program effectiveness?

There are many reasons why it is important to be able to evidence compliance program effectiveness, including the following:

  • It is the right thing to do.
  • Many organizations find that their leadership and Boards are seeking such evidence.
  • OIG considers it a mitigating factor in assignment of liabilities and terms of CIA.
  • DOJ notes absence of evidence of an effective compliance program negates the argument of the fault being an individual “rogue employee” and not the organization.
  • Failure to evidence an effective program increase executive and board liability exposure.
  • As CMS completes Affordable Care Act rules program effectiveness becomes mandatory.
  • Effective programs can reduce costly errors and high employee turnover.
Is there an assessment tool available when vetting an expert for the external review process?

Please check out this site, as it includes helpful advice related to vetting an expert. The following are some suggestions to consider:

  1. Engage a firm that can evidence being expert on compliance.
  2. Check the credentials of the individuals conducting the review.
  3. Ensure those to perform the review are real experts and avoid bait-and-switch.
  4. Examine the history and leadership of prospective firms.
  5. Ask the firm how many evaluations it has conducted and ask for references.
  6. Avoid those that use a common checklist approach, which produces poor process results.
  7. Ensure evaluation includes (1) full document review; (2) audit of operations, activities and functions; (3) executive/board/key employees interviews; and (4) focus group meetings.
  8. Be sure the review focuses on auditing and monitoring high-risk areas.
  9. Ask if they will certify meeting General Accounting Office operational review standards.
  10. Require a tort liability insurance policy for their work ($1-5 million).
Can internally developed and administered surveys provide credible evidence of compliance program effectiveness?

The problem of internally developed and administered surveys is largely credibility of results:

  • Most likely they are not professionally developed, tested, or validated.
  • They won’t be benchmarked against other organizations in the healthcare sector.
  • For outside authorities like the DOJ and OIG, truly credible evidence comes from independent sources outside the control of the organization.
  • Many may suspect internally developed survey to be designed to provide bias results.
  • There is the problem of ensuring respondent anonymity.
  • Developing and managing surveys internally are more costly than using a vendor service.
  • Results are not analyzed and assessed by outside experts.
Can you provide examples of what an independent CP evaluator would look at/ask about? I am guessing there are not standard assessments/questionnaires that they would use, correct?

Questionnaires can be very useful for a Compliance Officer in the ongoing monitoring the operation of the Compliance Program. It can produce output information, often in terms of metrics, but does not provide credible evidence of how well that process has been in achieving desired outcome (effectiveness). The OIG and HCCA “Measuring Compliance Program Effectiveness: A Resource Guide” provided a list of 401 possible metrics (“What to Measure”), and 630 recommendations for how to measure against the metrics (“How to Measure”) that Compliance Officer can use to review compliance program. However, the output of process reviews lends themselves to metrics, but outcome seldom can be evidenced numerically.

How has the new DOJ guidance regarding CCO certification impact this information?

On May 26, Deputy Attorney General Lisa Monaco announced a new policy requiring CCOs to sign off on certain agreements with the DOJ, stating that the policy is meant to “empower” the CCO, to ensure that the CCOs are “in the room” and reporting to the board directly about “what has or has not gone on in the course of fulfilling the company’s obligations,” and to promote the concept that “the business is taking ownership of its role in the compliance program and the Officer receives all relevant compliance-related information and can voice any concerns prior to certification.” In carrying out such mandates, the CCO should be prepared to evidence meeting these requirements. Having an Independent Evaluation of the Compliance Program that documents progress and accomplishment of the program with ideas by which the program can be enhanced would go a very long way to provide this evidence. Such reviews should include addressing the hundreds of prosecutor questions in the 2020 DOJ “Compliance Program Effectiveness Evaluation Guidelines.”

How often should Independent/Outside Compliance evaluations be performed?

Governmental authorities have not detailed frequency of having an Independent/Outside Compliance Program Effectiveness Review, other than the general term periodic. I don’t believe it is cost effective or worthwhile having an annual review of such a magnitude unless the organization is under a Corporate Integrity Agreement with a mandate for a Compliance Expert to provide such a review. Having said that, many larger organizations participate in annual reviews due to decisions at the Board level. We have found the best practice is to have a full comprehensive review ever two or three years with an employee survey using a professionally developed instrument administered independently that is anchored to a large universe to permit understanding of the status of the program when compared to that universe.

What are the best means by which Industry Comparative Data can be used to benchmark a Compliance Program?

There are two healthcare sector compliance surveys that permit individual organizations to benchmark their results against a large industry universe. The Compliance Program Knowledge Survey© is a dichotomous survey that measures the level of that knowledge and provides a means by which to assess the effectiveness of an organization’s compliance program. Results are benchmarked against the universe of those who have completed this same survey. The Compliance Program Benchmark Survey© has been used since 1993 to measure employees’ perceptions and attitudes in evidencing the compliance culture of an organization, using a Likert based survey. Results are benchmarked against the universe of hundreds of organizations who have used this same survey.

Is it being suggested that the HCCA Measuring Effectiveness Guidance document is inadequate to measure effectiveness?

The OIG and HCCA “Measuring Compliance Program Effectiveness: A Resource Guide” (January 2017) is a 54-page document that provides a list of 401 possible metrics for measuring a compliance program with 630 recommended actions to assist in evaluating compliance programs. It is very useful for compliance ongoing monitoring, but focuses primarily on the operation and program management processes and process evaluation is just the first level in determining how truly effective a program is in achieving desire goals. Measuring process outputs lend well to metric evidence, however outcome measurement seldom can be evidenced numerically. The use of survey was mentioned over 60 times as one area relating to evidencing outcome.

What do you think the highest risk to monitor will be for behavioral health in 2023 since that sector is growing very quickly?

The fact is that the mental health services sector is rapidly growing as a result of the Affordable Care Act; and the COVID 19 pandemic loosened some health care service rules to enable faster delivery of needed services. This rapid growth has also led to a rise in fraud and abuse issues leading to OIG and DOJ enforcement. Among the most common areas have been (a) improperly prescribed unnecessary psychotropic medications, (b) fabricated patient files and services, (c) patient recruiters involved in kickbacks, (d) billing for patients not referred by health care facilities, (e) billing for patients without diagnosed mental health issues, (f) any claims for services medically unnecessary, (g) services never provided, (h) services for ineligible individuals, etc. It is noteworthy that the OIG is continuing their review of appropriateness of Medicare payments for partial hospitalization program and community mental health centers for psychiatric services. However, if you are looking for the highest risk area, focusing on any arrangements for recruiting patients should be at the top of the list., followed by claims processing.

What are the differences in cost and benefit for having a Compliance Program Effectiveness Review, Compliance Program Gap Analysis, and Compliance Program Survey of Employees?

Compliance Program Effectiveness Review is the most expensive, generally running between $50-100,000 depending on the size and scope of the work. It involves full review of all compliance-related documents (in effect the same process as a Gap Analysis); examination of the program elements in operation; and debriefing of Compliance Officer and staff, interviews with the CEO, other executive leadership, board members, and key employees. It may also include focus group meetings with selected employees. A key focus is reviewing and verifying that ongoing monitoring and ongoing auditing of high-risk areas is operating effectively.

Compliance Program Gap Analysis is primarily a documentary check list review that is supplemented by some interviews. Its cost, depending on size of the organization and scope of work, normally runs less than half of a full Compliance Program Effectiveness Review. It is a process review that only tells you what is in place (outputs), but not how well it is functioning or how effective the program is in meeting its objectives (outcome). This is primarily for organizations where the program is just getting started and has not been fully implemented. It is of very limited value for fully established programs.

Compliance Program Knowledge Survey© or Compliance Program Benchmark Survey© of Employees can provide measure of effectiveness and is recommended by the OIG. They can test compliance knowledge, understanding, attitudes, and perceptions of employees. When using a professionally developed and independently administered survey linked to a larger universe to compare results with other organizations in the health care sector, it is extremely valuable. The cost of such a survey is far less than a Compliance Program Gap Analysis and roughly only about 10-15% of the cost of a full Compliance Program Effectiveness Evaluation.

What is the least costly method to evidence Compliance Program effectiveness?

Without doubt the easiest, fastest, and least expensive way to provide convincing evidence of Compliance Program effectiveness is the use of a validated healthcare compliance survey. It is one of the two suggested methods by the OIG.

Who do you recommend for conducting Interviews during a Compliance Program Effectiveness Evaluation?

If an organization engages a firm to perform such an evaluation, the key is that all those involved in the review have compliance experience and expertise. This, in turn, means that those conducting the interviews be expert on debriefing and garnering relevant information, rather than someone just following a checklist of questions.

Do you have any information on CMMC compliance and adherence?

The Cybersecurity Maturity Model Certification (CMMC) is not focused on the healthcare sector. It is a program established by the US Department of Defense (DoD) to secure and protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by requiring the certification of external contractors across 17 different domains. However, it deals with similar issues as presented the webinar in terms of process and resulting practices. The focus is largely on compliance maturity levels.

What about automated systems?

Automated systems can be a very good method to monitor compliance. The key point is monitoring and that relates to process and outputs, but not necessarily outcome which evidence effectiveness of the process.

For more information on this subject, contact Richard Kusserow at rkusserow[email protected]


Read the 2022 Healthcare Compliance Benchmark Report.

Learn more

Healthcare GRC
See how our compliance solutions help healthcare organizations.

Keep Reading