compliance

September 3, 2014

Compliance Effectiveness AssessmentsPrepared for Georgia Hospital AssociationCompliance Officers Retreat

Compliance Effectiveness Assessments

Shannon Sumner, CPA

Principal

Georgia Hospital AssociationCompliance Officers Retreat

September 3, 2014

September 3, 2014


Presentation Objectives

• Leading Practices in Compliance Programs

• Self-Assessment Process

• Highlight Leading Practices in the Seven Elements

• Self-Assessment Resources

September 3, 2014


Audience Questions – Experience

• New to Compliance Role (less than 1 year)

• In Honeymoon Phase (1-3 years)

• In Formative Years (4-5 years)

• Hitting Your Stride (6-10 years)

• Been There, Done That (>10 years)

September 3, 2014


Audience Questions – Size of Compliance Team

• Me, Myself, and I (1 person)

• Just the Two of Us (2 people)

• See No Evil, Hear No Evil, Speak No Evil (3 people)

• We are Family (4-5 people)

• Seriously? (>5 people)

September 3, 2014


Audience Questions – Duties

• Vanilla - Compliance Only

• Swirl - Internal Audit and Compliance

• Rocky Road - Everything!!

September 3, 2014


Headlines

Hospitals must address employee fraud reports with procedural fairness

September 3, 2014


Self-Assessment Process

• There is not one single best Compliance Assessment Tool!

• Collaborate with Internal Audit where possible.

• Partner with another Compliance Officer – peer review.

• Recommend Scoring Tool: Facilitates Education and Training.

Facilitates Trending by Area.

September 3, 2014


Key Questions to Ask• How would you rate your own Compliance Program (Scale 1

– 5, 5 Highest)?

• When was the last time your Compliance Program was audited?

• Have you called your organization‘s Compliance Hot Line?

• If someone in your organization is asked “Who is the compliance officer?” would they know what to say?

• Does your Audit/Compliance Committee ask tough questions? Is it engaged?

• Are you aware of (maintain a listing) all outsourced services and vendors?

September 3, 2014


Key Questions to Ask• Are you aware of all of the joint ventures within your

organization?

• Are you copied on all internal audit reports?

• Does your organization have a Fraud Policy and investigation protocol?

• Are you involved in exit interviews for all senior executives and other high-risk areas?

• Do you receive a copy of the external audit Management Letter Comments?

• How comfortable are you that all Conflicts of Interest have been disclosed by Management, Governance, and Physicians?

September 3, 2014


Effectiveness Red Flags• The Compliance Work Plan has a lot of “Plan to…” line items

• Little to no Hotline Activity

• No history of Compliance Effectiveness Assessments by outside parties

• No questions are asked by Compliance/Audit Committee members

• Auditing error percentages consistently high (>5%)

• Compliance Risk Assessment is conducted in a vacuum

• The Compliance Officer is not aware of the organization’s risk appetite/tolerance

• The Compliance Team has not received compliance specific education

• Action plans are consistently past due

• Risks identified through risk assessment are not addressed (internally or externally)

• Compliance is not advised of what may appear to be “routine” thefts or other human resource issues

September 3, 2014


What is a “Leading Practice?”

September 3, 2014


High Level Oversight

Boards May Use Compliance as a Defense Strategy; Feds Expect More Oversight“Board members are increasingly entering the compliance fray, and five years from now compliance will have the same level of board oversight as the organization’s finances, a former federal prosecutor says. As regulators, prosecutors, stockholders and other stakeholders demand more from boards, they are asking management, including compliance officers, for more evidence that the compliance program is accomplishing its goals instead of merely rubber-stamping reports.” – Report on Medicare Compliance, August 4, 2014

September 3, 2014


I - High Level Oversight

Compliance Officer (CO) is not a member of senior management and does not have access to the Board of Directors. This could jeopardize the effectiveness of the Compliance program.

CO Reports Directly to the CEO or equivalent (i.e., President) and has unfiltered access to the CEO. Organization must demonstrate that the CO’s reports reach the CEO.

Lack of management understanding, involvement, and support of the compliance program – an organizational culture that does not put a priority on compliance.

Industry Best Practice – The CEO’s incentive compensation is tied to the effectiveness of the compliance program.

Risk Expected Control

September 3, 2014


I - High Level Oversight (Con’t)

Risk areas within the organization go undetected.

Industry best practice - The compliance risk assessment is part of a broader enterprise-wide risk assessment that includes input from departments such as internal audit, legal, quality, IT, risk management, etc. to ensure adequate coverage.

Industry best practice - The risk assessment includes the potential for fraud.


September 3, 2014


I - High Level Oversight (Con’t)

Governance’s lack of support and knowledge of the Compliance Program.

The Audit Committee has at least one member knowledgeable of healthcare compliance. The activities of the Audit Committee are reported to the full Board and the Compliance Officer presents at least an annual report to the Board.

CMS Best Practice – Governing Body Resolution supporting the Compliance Program and adherence to compliant, lawful, and ethical conduct. CO has executive session with the Board (without the CEO Present) on an annual basis.

Assessments include feedback from the Audit Committee Chairperson, CEO, and CO regarding the completeness of the compliance reports, the knowledge of committee members, the appropriateness of the committee discussion.


September 3, 2014


II - Policies and Procedures

Lack of policies and procedures that document the framework of the compliance program jeopardizes the effectiveness of the compliance program, and could lessen the ability to demonstrate to regulatory bodies the presence of an effective compliance program.

Assess the extent to which policies and procedures are written clearly and include “real-life” examples.

If Conflict of Interest disclosure statements are not obtained from each trustee, officer, Board or other committee member and key management and employees, unidentified conflicts of interest could exist that could compromise, or appear to compromise judgment.

Review minutes of meetings from the appropriate governance body for the past 12 months to determine whether conflicts of interest were disclosed in accordance with policies and/or procedures.


September 3, 2014


II - Policies and Procedures (Con’t)

Departments that are impacted by regulatory changes are not aware of them which results in denial of claims and potential allegations of false claims.

There are documented mechanisms to monitor regulatory updates, including National Coverage Determinations (NCD) and Local Coverage Determinations (LCD) and communicate them to the associates and medical staff members impacted by them.

Associates might leave the organization with knowledge of potential compliance issues and subsequently become whistle-blowers.

If exit interviews are completed for any associates, there is at least one question regarding knowledge of potential compliance exposure and a mechanism to inform the CO if any are identified.


September 3, 2014


Open Lines of Communication

September 3, 2014


III - Open Lines of Communication

Compliance issues could be occurring without being reported to management.

Volumes of reports received are tracked and compared to prior periods and to industry norms.

A leading practice is to have the capability of reporting to the hotline anonymously on-line.

Exit interviews are conducted by the CO for high-risk/leadership associates.


September 3, 2014


IV - Training and Education

New associates lack understanding of the compliance program and their related rights and responsibilities.

CMS Best Practice - Mechanism to measure effectiveness of training.

Industry Best Practice – Compliance Quizzes provided to Physicians/Medical Staff .

CMS Best Practice - Training is provided in various formats to keep associates engaged (in person, on-line, games, etc.).

Industry Best Practice - Connect headlines and case studies to real issues within organization.

Industry Best Practice - Demonstrate linkage between organization’s strategies and a strong ethics and compliance program.


September 3, 2014


IV - Training and Education (Con’t)

Medical Staff lack understanding of the compliance program and their related rights and responsibilities.

Compliance education and information specific to regulatory changes that directly impact them is routinely provided to the Medical Staff.

Compliance department staff are not kept current regarding compliance risk areas or leading practices for compliance programs.

Compliance department staff attend conferences and webinars, subscribe to publications and the OIG’s email list, monitor the OIG’s website, and network with peers to stay up-to-date and get ideas.

Governance lacks understanding of the compliance program and its related rights and responsibilities.

Compliance education and information specific to the entity’s compliance program is provided to Board members at least once every 24 months and the Board Audit Committee, if applicable, at least annually.


September 3, 2014


V - Monitoring and Auditing

False claims could be submitted if auditing and monitoring by qualified independent auditors does not occur.

CMS - The compliance plan must include an independent assessment of the compliance program and be shared with the Board.

CMS - The auditing/monitoring element must include “first tier” entities. This includes entities where the organization has outsourced key elements of its processes (i.e. billing, collections, quality, safety).


September 3, 2014


VI - Response to Deficiencies

Responses to deficiencies do not effectively address the deficiencies.

Periodic reviews of problem areas were conducted to verify that the corrective actions successfully reduced or eliminated existing deficiencies.

Deficiencies are not addressed on a timely basis.

Corrective action plans are implemented within agreed-upon timetables.


September 3, 2014


VII - Consistent Enforcement

Inconsistent disciplinary or other actions are taken in response to compliance policies.

CMS – Must maintain evidence of disciplinary action for a period of 10 years.• Date violation reported • Description of violation • Date of investigation • Summary of findings • Disciplinary action taken • Date disciplinary action taken

CMS – If the HR function is responsible for conducting disciplinary actions there must be a formal process for communicating with the CO on actions taken.

CMS - Publish de-identified disciplinary actions taken to demonstrate that the Sponsor acts on violations of the Standards of Conduct.


September 3, 2014


Self-Assessment Resources

https://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/Downloads/Compliance-Program-Effectiveness-Self-Assessment-Questionnaire.pdf

September 3, 2014



http://oig.hhs.gov/compliance/compliance-guidance/docs/Health_Care_Directors_Compliance_Duties.pdf

September 3, 2014



Health Care Compliance Association

http://www.hcca-info.org

September 3, 2014


Questions?

September 3, 2014


Thank You!

Shannon Sumner, CPAPrincipal

[email protected](865) 673-0844

compliance

Documents

compliance role

vanilla compliance

use compliance

compliance fray

medicare compliance

compliance risk assessment

compliance officer peerreview

compliance program scale