HHS-OIG Guidance — Practical Steps to Achieve Effective Compliance (Part III of III)
Within the specific element discussions in HHS-OIG’s Guidance, are important operational details and strategies for an effective compliance program. GCPG provides important suggestions and innovations for consideration by all compliance professionals.
Effective Lines of Communication
The GCPG stresses the importance of an open line of communication between the compliance officer and entity personnel as a means to reduce potential fraud, waste and abuse. To this end, personnel should be informed about the channels for communicating to the compliance officer (e.g. email, telephone, internet, messaging) and the channels should be publicized in physical and virtual spaces. A compliance officer should occasionally poll personnel to verify awareness of reporting channels and availability for reporting of concerns. To reinforce the importance of such reporting, written confidentiality and nonretaliation policies should be implemented and distributed to employees to encourage communications and reporting of misconduct and concerns.
The compliance committee should also develop independent reporting paths for an employee to report violations of law and entity policies and procedures. In this area, the compliance committee should not request or require that employees first bring such concerns to their manager or supervisor before contacting the compliance officer.
Interestingly, the GCPG notes that “frequent communications” from the same department or employees of the same supervisor may “identify an area of concern to be investigated.” At least one of the reporting channels must allow an employee to report a concern anonymously as well as independent from a business or operational function. The entity should always strive to protect the confidentiality of the reporter’s identity.
All reports relating to compliance should be recorded in a log maintained by the compliance officer (or their designee). All reports should be logged, whether they are made directly to the compliance officer or other compliance personnel, to a leader or manager, or through an anonymous reporting mechanism. The log should include pertinent information regarding each report. The compliance officer should regularly report about concerns received and investigations conducted in their communications with the compliance committee, the CEO and the board.
Consequences and Incentives
Consequences have to follow from noncompliant actions. Consequences may be educational, remedial, punitive, or a variety of these types of results. The severity of any consequences should vary depending on the person’s state of mind (intentional or reckless) and position (supervisory or non-supervisory). The organization should establish and publicize its procedures for identifying, investigating and remediating actions that violate the law, and/or policies or procedures. The compliance officer is responsible for monitoring investigations and resulting discipline to ensure that consistency.
Entities should also develop incentives to encourage compliance. To this end, the compliance officer, the compliance committee and other leaders should consider compliance performance for additional compensation, significant recognition or other forms of encouragement. Additional behaviors to be encouraged include: (i) achievement of compliance goals; (ii) achievements that reduce compliance risk; or (iii) performance of compliance activities outside of the individual’s job description.
The compliance committee and other leaders should review whether the entity’s other incentive plans (e.g. sales goals or admission goals) may inadvertently encourage risky or noncompliant behavior such as offering practitioners things of value in exchange for ordering or prescribing an entity’s products or referring patients to the entity’s hospital or nursing home.
Risk Assessment, Auditing and Monitoring
The GCPG notes that organizations have placed “increasing emphasis upon the importance of a formal compliance risk assessment process.” A risk assessment focus on risks stemming from violations of government health care program requirements and failures to act that may adversely affect the entity’s ability to comply with those requirements. A risk assessment should be conducted at least annually.
A formal compliance risk assessment process should be based on internal or external sources, assess and prioritize the information and then decide how to mitigate such risks. The compliance committee should be responsible for conducting and implementing the risk assessment. In this respect, the compliance committee may rely on assistance from compliance, audit, quality and risk management functions.
As part of the risk assessment, the organization should use data analytics to identify compliance risk areas. Entities should be able to compare standard metrics to determine which outliers or anomalies should be addressed. Billing software and electronic health records, for example, may generate helpful data for review purposes.
The compliance committee should include in a compliance work plan a schedule of audits in conformance with the overall risk assessment. The compliance committee should ensure that compliance officers has the capacity to perform or oversee additional audits.
Entities should ensure that any claims reviews and audits include a review of medical necessity of the item or service by an appropriately credentialed clinician. Entities that do not include clinical review of medical necessity may fail to identify important compliance concerns relating to medical necessity. Depending on teh size of the organization, the compliance officer may decide to have dedicated compliance auditors reporting to the compliance officer.
The compliance work plan should contain routine monitoring of ongoing risks, plus the capacity to monitor the effectiveness of controls and risk remediation. Some examples include: (i) monthly screening of the LEIE and State Medicaid exclusion lists; (ii) regular screening of State licensure and certification databases; and (iii) annual review of the entity’s policies and procedures.
Responding to Detected Offenses and Developing Corrective Action Initiatives
“It is inevitable that a compliance officer will receive audit or monitoring results that raise concerns or receive a report through the [reporting] program that requires investigating.”
A compliance program should include processes and resources to thoroughly investigate compliance concerns, remediate the violations or misconduct, including reporting to the government if required, and analyze root causes of any identified misconduct. A compliance officer should act promptly to notify leaders and coordinate with counsel as needed to determine whether a violation of law has occurred. Most internal investigations will require interviews and a review of relevant documents — data review, email searches and audits may also be required. If necessary, subjects of the investigation should be placed on leave un til the investigation is completed. A contemporaneous record of the investigation should be maintained.
If credible evidence of misconduct is discovered and the complaince officer or counsel has reason to believe that the misconduct may violate criminal, civil or administrative law, then the entity should “promptly” (within 60 days after determination that “credible evidence of a violation exists”) report the misconduct to the government.
To implement corrective actions, the entity such take prompt actions, including (i) refunding of overpayments; (ii) enforcing disciplinary policies and procedures; and (iii) changing policies or procedures to prevent a recurrence.
Throughout the investigation, the compliance officer should focus on the root causes of the misconduct. In this area, the compliance officer should determine whether the conduct exposed any compliance weaknesses that could place the entity at risk for other, unrelated misconduct. Based on this analysis, the compliance committee should ensure that the entity takes the necessary step[s to prevent recurrence of the misconduct and remediate any identified areas of vulnerability.