In our recent webinar, Meeting Challenges of the New DOJ Compliance Program Guidelines, healthcare compliance experts Richard Kusserow, CEO, and Thomas Herrmann, JD, Managing Senior Consultant at Strategic Management Services reviewed the DOJ's guidance for creating and maintaining effective compliance programs and provided best practices for compliance officers to implement an effective program, particularly in healthcare organizations.
Many questions were asked during the presentation that the speakers were unable to answer live. Below is a compilation of those questions with answers provided by Richard and Thomas with Strategic Management Services.
How is the DOJ Guidance different from that of the Office of Inspector General?
The DOJ Guidance and the U.S. Sentencing Commission (USSC) Guidelines are not industry-specific. They apply to all business activities in all business sectors, whereas the OIG Guidance is focused on the healthcare sector. However, both the DOJ and OIG generally follow the principles set forth in the USSC. It is noteworthy that certain questions in the DOJ Guidance applies more to activities in other then the healthcare sector, whereas the OIG Guidance often has questions and issues specific only to the healthcare sector. Taken together, the DOJ and OIG guidance are complementary not conflicting.
You mentioned having a mock review of the DOJ Guidance. What are the benefits for doing this?
I think it is worth serious consideration to having a Mock DOJ Compliance Program Review:
- It would permit finding out how DOJ might view your program.
- Focus should not be findings, but identifying opportunities for improvement with specific ways to remediate deficiencies noted.
- Having such a review meets the DOJ and OIG call for periodic independent review of the compliance program.
- Review results can be used as evidence (to executive leadership, board, and possibly the government) that the program is improving and evolving.
- It should be considered more of a consultative engagement, than an audit with the reviewers working in collaboration with the compliance office to find out how the organization would fair by a DOJ review AND focus on identifying ways to resolve deficiencies.
- Finally, this limited scope review by outside experts should only be at a fraction of the cost of a full Compliance Program Evaluation or even a Compliance Program Gap Analysis
When we do these reviews, we confine the scope to a document review and limit discussions to the Compliance Officer and staff. No site visits are involved. No interviews of executives, board members or others are conducted. We concentrated on finding solutions, in most cases, quick fixes to deficiencies noted.
Why has the DOJ placed so much focus on evidence of a “Culture of Compliance”?
The DOJ has learned that a “paper program” is two-dimensional and focuses on “output,”, whereas they know the best “outcome” of an effective compliance program is a “culture of compliance.” However, it is difficult to evidence.
How much does it cost for Mock DOJ Compliance Reviews?
It depends on the scope of work. When Tom and I do them, we find that the cost for doing it at most organizations would be about one third to one quarter the cost of a full Compliance Program Effectiveness Evaluation or Compliance Program Gap Analysis. This is because the scope of work is limited to working with the compliance office staff and in reviewing documents. It is more like a compliance advisory service than an audit.
The result is a very focused report of findings, opportunities for improvement, and specific recommendations and suggestions for remediation. This information can then be used in developing the Annual Compliance Office Work Plan. It also evidences how the program is continuing to improve and evolve.
When would be the best time to conduct a Mock DOJ Compliance Program Evaluation?
Now. There is no reason to wait. The optimal time to be able to use the results of such a review to best advantage is in the fourth quarter of the year. The results can be incorporated in the 2021 Compliance Office Work Plan. Having such a plan would be further evidence that the program is active in moving forward to increase its effectiveness.
During the webinar, much was said about surveys. Can you have a single survey for both compliance knowledge and culture?
Not really. They are entirely different types of surveys with one using dichotomous (yes-no) answers and the other using a Likert Scale approach with gradations in the answers. To have the results be considered credible, the survey used needs to be validated, tested, and reliable in representing your employee universe. For those interested in using these types of surveys, I would suggest using them alternatively, not in the same year. Don’t over survey your people. With such a focus by the DOJ on culture, I would start with that type first.
What is the web link to the DOJ resources related to the new DOJ guidance?
Does Strategic Management provide consulting services that include conducting Mock Compliance Program evaluations?
Yes, we provide that service (details). These services are usually with the compliance office and delivered as advisory services to assist in improving the program with ideas and suggestions to strengthen evidence of a forward-moving and evolving compliance program.
What kind of report do you provide at the end of a Mock DOJ Compliance Program Evaluation?
Unless requested to do so, no report as such is provided; instead, an excel spreadsheet is provided documenting findings with suggestions and recommendations for improving evidence of an effective compliance program. Those questions where the finding was satisfactory evidence in place are also documented to evidence program effectiveness. The spreadsheets with findings for additional supporting evidence can be turned into a checklist for the Compliance Office Annual Workplan.
Slide 35 recommended documentation related to lessons learned and being able to demonstrate that you are applying them to your compliance program…what does that look like? How does someone effectively demonstrate that they are identifying and applying lessons learned?
The DOJ is referring to the need to determine the “root cause” of problems identified and then taking steps to correct any systemic weaknesses that gave rise to them. In other words, they expect an organization to learn lessons from what caused identified problems and take action to prevent their reoccurrence.
Where can we find a sample of a compliance culture survey?
We are aware of only one place where there is a compliance knowledge survey and a compliance culture survey that (a) focuses exclusively on the healthcare sector and (b) are anchored in a large database of users, against which results can be benchmarked. Resource
What suggestion do you have for how to evidence meetings/conversations? For example: Will a “Meeting Logbook” by date with a high-level “Subject” suffice?
What you want to evidence is the substance of the meeting as it relates to compliance. As such, meetings with the Executive Compliance Committee and Board Compliance Committee should include dates of meeting, the agenda items related to compliance, any training that takes place, identification of key compliance issues discussed, etc. The objective is to provide evidence that serious business was discussed. Only summary information is needed.
Similarly, meetings that the Compliance Officer has with the CEO should be documented as to date, general description of issues discussed, etc. Again, only short summary notes sufficient to evidence that the meeting were substantive.
There have not been any new requirements relating to lab compliance programs since it was stated in Federal Register before 2000. Is a separate lab compliance program still required or is the facility compliance program all that is needed?
The distinction between the OIG guidance and that of the DOJ is significant. The original Model Compliance Plans for Clinical Laboratories to which you referred is at https://oig.hhs.gov/fraud/docs/complianceguidance/cpcl.html. It was not mandated guidance, only advisory. It was framed to be used by labs as guidance. There are no mandated programs. However, the movement is in that direction. The DOJ Compliance Program Evaluation Guidance is for use by prosecutors in assessing how they would treat an organization found in violation of the law. In cases where they determine there was an effective compliance program, it can result in leniency. On the other hand, the absence of such a program may result in more severe enforcement actions. DOJ made available that for public viewing but was not written as guidance for organizations.
Do you have suggestions about how you highlight anonymous reporting with all operations are now being remote?
Use a hotline service that provides 24/7 operator answered calls and web-based reporting. For more information check www.complianceresource.com
With regard to due diligence during mergers and acquisitions, is it enough to have legal counsel involved and reviewing matters or is it absolutely necessary to have the compliance office pay a role in these acquisitions?
The short answers to these questions are (a) Legal Counsel’s involvement is not enough and (b) DOJ believes it is imperative to have compliance play a role in acquisitions. There is no question that there is a major due diligence role for legal counsel that needs to focus on legal liabilities by examining the entity’s structure; business permits and/or approvals; employment and labor law compliance; environmental law approvals, permits and compliance; contractual rights and obligations; intellectual property rights and obligations; real property law compliance; securities and financing regulatory compliance; tax exposure risks; consumer protection law and exposure risks; and/or licenses; previous and/or current litigation; media reports; and external consultants and/or advisors.
Another critical component to due diligence is financial analysis, performed by an independent accounting firm that reviews and evaluates the balance sheets, income statements, audit reports, and cash flow statements and projections in measuring financial viability. However, the DOJ also is concerned about how regulatory and legal compliance issues are being addressed. They see that the compliance function should play an active and strategic role in this area. The ask several questions in connection with this, including the following:
- Does the compliance program include comprehensive due diligence of any acquisition targets?
- What is the extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization?
- How has the compliance function been integrated into the merger, acquisition, and integration process?
- What role has compliance played in the company’s strategic and operational decisions?
Should the CCO attend the full Board meetings or is it acceptable to only attend the Board Audit & Compliance Committee of the Board?
Both the OIG and DOJ expect the Compliance Officer to have direct access to the Board, however, generally, that would be through a committee that is charged with compliance oversight. However, it is expected that the Compliance Officer would meet with the full Board annually to provide updating and education on compliance in the changing legal and regulatory environment. Also, if the Compliance Officer has a sufficiently urgent matter, there should be direct access to the full Board.
For the independent review, do you recommend involving counsel so the report is protected by attorney-client privilege?
There is always the option to place work under the direction of legal counsel, but for a Mock Review, it is not likely to be necessary. The review is not focusing on potential violations but only on the process; and the OIG and DOJ expect there will always be findings that evidence a need for improvement. They stressed that the program is always work in progress, never completed. Thus, engaging in this type of review would be viewed as good and having findings also being good, so long as they are being addressed. So, most should want to have the review results open and known to continue positive improvement.
Discuss independence regarding Compliance and Legal and the organization structure?
Both the DOJ and OIG see Legal Counsel as an advocate for the organization, not an independent and objective party that they believe the Compliance Officer should be. They have encountered many cases where Legal Counsel acting as the Compliance Officer has buried matters under attorney privilege, rather than openly disclosing it. The OIG, in their Corporate Integrity Agreements, will prohibit compliance being under the Legal Counsel.
Another concern is that serving both the role of legal counsel and compliance creates a potential conflict of interest in trying to protect the interest of the organization and that of employees bringing forth issues that question the organization’s activities.
Is General Counsel viewed as appropriate for CCO? If there is a compliance staff?
Both the DOJ and OIG position has been for legal Counsel to not exercise a dual role. They view Legal Counsel as advocates for the organization and not independent gatherers of fact and evidence who should voluntarily disclose violations of law and regulation to appropriate authorities. They have also encountered in many cases Legal Counsel attempting to put under privilege information to avoid full disclosure.
Corporate Integrity Agreements clearly reinforces the OIG’s position regarding Legal Counsel’s involvement with compliance and include standard language that “The Compliance Officer shall be a member of senior management…, and shall not be or be subordinate to the General Counsel or Chief Financial Officer.” The Sentencing Commission has also weighed in on this by questioning whether Legal Counsel meets the definition of “high level” management, or if it is staff advisory support function.
In short, Legal Counsel assuming the “dual role” or having compliance report through them puts the organization at risk of not receiving benefits afforded under them, if they are involved in a federal fraud case.
With regard to the credibility of surveys, if staff is told that the responses are not tracked, and a third party, such as Survey Monkey is used, is that enough to establish credibility; acknowledging that some employees will never trust the process?
It helps to show that the tool being used does not track answers back to respondents, however that is only part of the question. A key assumption of any successful employee survey is that everyone will complete it and provide honest answers to all questions, however, this is dependent upon them knowing they can share feedback in a confidential way that prevents leaders or stakeholders from tying that feedback directly to their name. Many employees worry when completing surveys that their answers will be seen by managers and potentially used against them. And if you can’t guarantee that that won’t happen, you can’t count on their open, honest participation.
However, there are other factors to consider. Many employees consider internally developed surveys may be done in such a way as to bias results in favor of the organization. Also, keep in mind that the credibility of the survey used should extend to outside parties, including the DOJ and OIG. They place higher credibility on professionally developed and administered surveys.
I am not a compliance company. We outsource our sanction screening. My concern is when I get a fuzzy identification and the information such as birthdate, town/city does not match our employee's info, what else if anything do I need to do? We are a small Home Healthcare Agency with limited office staff. This information is all good and good to know, but, where do we fit in?
There are a bundle of questions and issues here. First, most organizations use a sanction checking service to assist in the screening of employees, medical staff, vendors, etc. They provide search engine tools to facilitate screening, as well as full service to resolve potential “hits”. The problem is that no confirm match can be made without a unique identifier (SSN, Tax ID Number, License Number, etc.) that connects an individual or entity to a sanction database. A birthdate is not a unique identifier, nor is an address, medical specialty, etc. Having this information can help determine if the person is likely the same as a sanctioned party but that is as far as it goes.
Also, unfortunately, sanction authorities don’t use common identifiers, especially at the state level. In many cases, the “potential hit” cannot be resolve without going back to the party and asking them more information. If a screening service is being used, they have added expertise to help resolve some of the “fuzzy identification” issues.
Why do you believe it is important to conduct a Culture Survey?
DOJ Guidelines call for prosecutors calls for them to review the “company’s culture of compliance” and give consideration to “whether the company has… surveyed employees to gauge the compliance culture… to “assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operation…The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top…(and) prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations. it is important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company”. In making determinations about the compliance culture, the Guidelines tell prosecutors to ask the following questions:
- How often and how does the company measure its culture of compliance?
- Does the company seek input from all levels of employees to determine whether they perceive senior and middle management’s commitment to compliance?
- What steps has the company taken in response to its measurement of the compliance culture?
What factors need to be considered in determining the best culture survey to use?
First and foremost, it is important to know what the result of the survey would be. If it is just raw numbers, it will provide little value, regardless of what the score is. The report should be analyzed by experts who can provide context to the results and offer advice as to significance of results, and most importantly, how results compare with other healthcare entities using the same instrument. Second, survey instruments used must be both reliable and valid for results to be credible for those responding to it, as well as those reviewing the results. Therefore, reliability and validity must be examined and reported, or references cited, for each assessment instrument used to measure study outcomes. The goal is to obtain a representative sample to be certain that the people who respond to the survey represent the thinking of the entire population, as if you had a 100% response rate. There are several factors that determine the credibility and usefulness of survey results, including the following:
- Validity. This refers to the accuracy of measurement and depends on asking questions that truly measure what is supposed to be measured.
- Reliability refers to whether an assessment instrument gives consistent or dependable results.
- Content involves asking the right question, which relies upon those that created the instrument.
- Likert Scale is the most widely used approach to scaling responses in surveys. Unlike a dichotomous (yes-no) questions, used in compliance knowledge surveys, respondents specify their level of agreement or disagreement to a question or statement, thus capturing the intensity of their feelings for a given item.
- Pilot Testing involves testing the wording, question sequence, appropriateness and meaning of sections, etc. Without this, the evidence of the instrument's reliability becomes questionable.
Do the non-regulatory risks belong to the Compliance Program? Organizations face significant risks that are not regulatory-driven (e.g., compliance with laws and regulation). Should those risks be included in the risk assessment processes of the compliance program?
Both the OIG and DOJ have made it clear that organizations have wide discretion regarding how they structure and organize their compliance program. However, they expect the organization will be able to justify their decisions and evidence the program is effective. The 2020 national Compliance Benchmark Survey asked about this very issue and found that some organizations have gone very far in moving risk management under the Compliance Program. The fact is that compliance risk management focused on laws and regulations generally can fit nicely under the compliance program, however, enterprise-wide risk management goes far beyond what traditional compliance programs should be doing. However, program managers need to be responsible for risks within their operational areas. The OIG refers to this as Ongoing Monitoring that includes identifying programmatic risks, providing written guidance (policies/procedures) for their staff, training them on it and monitoring to ensure they are following that guidance. Ongoing Auditing is done by parties independent of the operational area to verify that Ongoing Monitoring by program managers is taking place and validate that it is effective. The simple fact is that the Compliance Office is not the most qualified party for all risk management. That would mean they would be involved in day to day clinical, financial, IT, physical security and other risk issues well beyond their expertise. What compliance should be doing is ensuring there is risk management across all programs and operations of the organization.
What does it cost for culture and knowledge surveys?
Employing survey methods to collect data regarding compliance culture is an excellent way to gather lots of information from many people. This is the best method to use when one hopes to gain a representative picture of the attitudes and perceptions of employees. The cost depends on:
- Size of the survey population
- Whether results are just raw, unanalyzed data or a fully analyzed report with action steps to improve performance
- Whether there is a “deep dive” analysis of the results with suggested actions for improvement
- Whether the results are benchmarked against other health care organizations who have used the same instrument
For a survey of a medium-size organization that provides detailed analysis and benchmarking of results, you can expect it would cost approximately $5000 to $7,000. Find more information on compliance.com.