Compliance Corner by Compliance Professionals, for Compliance Professionals
Total Page:16
File Type:pdf, Size:1020Kb
Compliance Corner By Compliance Professionals, For Compliance Professionals. Building an Effective Compliance Program with Limited Resources By Marti Arvin, Vice President of Audit Strategy at CynergisTek What is an effective compliance program? To across multiple operational departments. For example, in paraphrase Supreme Court Justice Potter Stewart’s a large, better-resourced program, the Privacy Officer may statement on what is obscene, “I can’t define it, but be responsible for all privacy policies but in a smaller orga- I know it when I see it.” That statement is also true of an nization with fewer resources, some or all of these may be effective compliance program. What needs to be addressed the responsibility of a department like Health Information is how to “see” an effective program. If there are limited Management Services (HIMS). If HIMS is responsible for the resources, which is so often the case, this will mean lever- drafting and maintenance of these policies, compliance may aging the right resources across multiple business units. Often just need to review them. This also may be true for policies on when evaluating a compliance program for effectiveness, the billing and coding, conflicts of interest, and other compliance tendency is to look at the Compliance Office and the oversight areas. An effective program will have compliance policies of the Compliance Officer. Particularly in an organization with that are reviewed and updated as appropriate on a regular limited resources for compliance activities, that “look” will basis. Thinking of ways to share the burden rather than have it need to go beyond the Compliance Office to create and main- centralized in one department with limited resources can help tain an effective program. ensure policies are kept up to date. When it comes to measuring effectiveness, an organization Compliance Program Oversight must be able to demonstrate the core characteristics under the What is an effective oversight structure? It should demonstrate Seven Elements of an Effective Compliance Program defined senior leadership’s involvement. All too often, the responsibility by Chapter 8 of the Federal Sentencing Guidelines. When for compliance oversight begins and ends with the Compliance resources are limited, more of these elements may be addressed Officer. If the Compliance Officer is under resourced this just outside the Compliance Office. adds to the demands. Regardless of resourcing, to demonstrate effectiveness, there should be evidence of the discussion of Policies, Standards, and Procedures items across the seven elements with leadership. Ideally, the The first question to ask is do policies exist? If the organization meeting agendas and minutes will be structured to follow the has limited resources, policy ownership may be distributed seven elements and reflect the discussion of the committee on 32 AHLA Connections February 2019 Compliance Corner By Compliance Professionals, For Compliance Professionals. key compliance issues and decisions. It should be clear that the naire would then be shared with the Compliance Officer so governing body was aware of the organization’s risks and made issues and red flags can be trended at the organization and/ decisions on how to prioritize them. Looking at the organiza- or business unit level. If robust monitoring done by business tion’s processes around this can help guide legal counsel on owners can be demonstrated, then a reduced level of auditing whether the compliance program is effective. by the Compliance staff can still lead to an effective compliance program. Training and Education Review what training and education is being done around Background Checks compliance topics, including not only what Compliance is Background checks may seem to be the easiest area to demon- doing, but what is happening across operational units. This is strate effectiveness, but that is not always the case. Someone particularly important when the Compliance Office has limited must be responsible for checking the OIG List of Excluded training and education resources. The Compliance Officer Individuals and Entities or the General Services Adminis- can produce material for the operational business owners to tration’s System of Award Management (SAM) databases. use in routine staff meetings, huddles, and other regularly These checks must be done not only at the point of hire, but scheduled meetings. This should include an attendance sheet, also on a routine basis, such as monthly or quarterly. If there so the training can be tracked. It is highly likely that Human is a match, there must be documentation that the match was Resources (HR) is already tracking other types of training. evaluated, and appropriate action was taken (i.e. assessing the Compliance can leverage HR to record the training when the individual’s involvement in services billed to governmental business owner submits the sign-in sheet, helping the organi- payers). However, not all of this responsibility needs to be on zation demonstrate effectiveness in this element but not make the shoulders of the Compliance Officer. Other business units training and education the sole responsibility of Compliance. like HR for staff and the Medical Staff Office for providers can report their findings to Compliance, which can do a sample Auditing and Monitoring to help ensure the controls are appropriate. Documentation of Demonstrating an effective auditing and monitoring program these activities and appropriate corrective action when a match starts with a process for the risk assessment, which should is found will demonstrate effectiveness. show the engagement of senior leadership and business owners. The assessment should be tied to the relevant portions of the Reporting and Investigations Department of Health and Human Services Office of Inspector Does the organization have an anonymous reporting line? If so, General’s (OIG’s) annual workplan, what is happening in the is there evidence employees are aware of it and use it? A lack of industry and the enforcement landscape, new service lines, significant reports on the anonymous reporting line does not etc. The risk assessment also should evaluate what controls the mean a program is ineffective. If there is a method for tracking organization has in place. For example, if the OIG is looking at issues brought directly to the Compliance Office and those a particular service, that does not necessarily mean the orga- numbers are high, it could mean employees do not feel the need nization must conduct auditing and monitoring around that to report anonymously. Additionally, it could mean that they service if a process for compliance already has been developed feel comfortable reporting directly because they do not fear and tested. retaliation for raising legitimate concerns. A key factor in demonstrating effectiveness in auditing and Look at what the Compliance Office is investigating. Are issues monitoring is assessing the high-risk areas for the organization. brought to Compliance being investigated? If the Compliance When the Compliance Office is underfunded, doing the neces- Office does not have the resources to investigate, this is likely sary level of auditing may be challenging. Again, this is where an area where leveraging other departments may be diffi- other departments must be leveraged. Compliance may seek to cult. While other business units, such as General Counsel or partner with Internal Audit to cover more high-risk areas. Internal Audit, support investigations, effectiveness will suffer if compliance concerns are not investigated because of the lack It is critical to capture all monitoring activity occurring in the of resources. Investigations must be independent and objective organization. Oftentimes, monitoring occurs within multiple so this an area where using the involved business unit is not a business units, making it important to understand and docu- good option. ment these practices to take credit for any monitoring already being done. The Compliance Office must have the resources to investigate properly to be effective. If investigations are taking months There also may be opportunities to engage business units in without valid reasons, that is a sign of a problem. This may additional monitoring. The Compliance Officer may develop a be the one area where the Compliance Officer must convince questionnaire that business units must complete on a routine senior leadership that additional resources are necessary. basis to assure they are doing certain activities. The question- healthlawyers.org 33 Compliance Corner By Compliance Professionals, For Compliance Professionals. Corrective Action Marti Arvin is Vice President of Audit Strategy When an issue was identified, is there evidence that an appro- at CynergisTek. She has more than three priate corrective action was implemented such as prompt decades of operational and executive leadership refunds and any necessary disciplinary actions? Corrective experience in the fields of compliance, research, action needs to be documented and there must be evidence and regulatory oversight in academic medical that disciplinary action is consistent for similar infractions. If a and traditional hospital care settings. Ms. physician is given a slap on the hand but her nurse counterpart Arvin leads strategic business development around compliance is fired that sends a message that some staff are not held to the services and utilizes her industry recognized expertise in same standard. This is one more