governance & total compliance
DESCRIPTION
Governance & Total Compliance. Regulators Expectations & Best Practices to Meet Them. Presented by: David M. Rottkamp, CPA – Partner, Not-for-Profit Practice Leader Alfonso P. Conti, MPA – Manager, Healthcare Management Consulting. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/1.jpg)
Regulators Expectations & Best Practices to Meet Them
Presented by:
David M. Rottkamp, CPA – Partner, Not-for-Profit Practice Leader
Alfonso P. Conti, MPA – Manager, Healthcare Management Consulting
Governance & Total Compliance
![Page 2: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/2.jpg)
The year ahead will be a pivotal one for Boards and audit committees
Many of the larger companies that failed:
o Were sabotaged by Board negligence;
o Were too optimistic;
o Had ill-informed Boards;
o Had Boards that spent too much time looking backwards than towards the road ahead.
Opening Remarks
![Page 3: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/3.jpg)
Ex-CEO admits stealing from prominent NYC charity
The politically connected former CEO of a prominent city charity admitted Wednesdayhe helped steal more than $9 million from the organization in an insurance scheme that authorities linked to campaign contributions.
William Rapfogel pleaded guilty to grand larceny, money laundering and other charges in a case that had rattled city and state political circles.
Source: The Associated Press, April 23, 2014
![Page 4: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/4.jpg)
![Page 5: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/5.jpg)
Effective leaders are straight shooters who know that if performance or the ability to fulfill obligations is lacking, they must work to educate, demonstrate expectations, and critique behavior that is below the norm.
Opening Remarks
![Page 6: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/6.jpg)
Audit Committees from both the For Profit and Not-For-Profit world agree that the Board:
o Cannot sit back and conduct business a usual!
o Must engage management to understand current and future challenges of the business.
o Must reduce the reactive nature to an issue and be more proactive and
o Ensure that the right people and skill sets are on the Board to enable the growth and protection of the organization.
Recent Surveys
![Page 7: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/7.jpg)
60% of Boards surveyed replaced or added a director in the last 12 months.
52% of Boards do not oversee organizations social media strategy and can improve on their technical knowledge
14% of the Boards surveyed have removed a director due to poor performance/ evaluation
Boards are focusing on age limits and term limits for Board members
Trends in Governance
![Page 8: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/8.jpg)
Does your Board consider or have in place:
o A Board Succession Process
o Constantly assess and challenge the members
o Optimizing the Board seat and rotate with term limits
o Board member recruitment
o Board Mentoring
Board Questions
![Page 9: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/9.jpg)
Governor Cuomo emphasis on Ethics reform in government, it does not stop with the politicians!
Passage Not For Profit Revitalization Act implementation July 1, 2014
Appointment of James Sheehan to head the Charities Bureau -you remember the mantra educate / prosecute
Recent Media articles on CEO Kickbacks in NFP and Healthcare organizations!
OIG published 52 month average Jail time for Fraud and Abuse conviction.
Corporate Integrity Agreements are getting tougher!
Why all the Concern?
![Page 10: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/10.jpg)
Fiduciary Duty: This means that the board member will act for the financial benefit of the organization.
Duty of Care: The board member will use a level of care that an ordinarily prudent person would exercise in a similar position when faced with similar circumstances.
Duty of Loyalty: This is an expectation that the governing board member will act in a manner he/she reasonably believes to be in the best interests of the organization.
Responsibility of theGoverning Board
![Page 11: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/11.jpg)
Boards are being targeted for their focus on:
o Compliance and their direction of the Compliance Officer and Compliance Committee.
o Boards in general need to know what the annual compliance efforts Involves.
o Boards are ultimately responsible for the ethical conduct of the management.
Boards are Targets of theOMIG / OIG
![Page 12: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/12.jpg)
So how does a Board avoid this embarrassment?
o The answer is culture, education, and continuous focus
o A structure where the Compliance Officer reports to the Board
o Getting harder and harder to oversee the challenges
Boards are Targets of theOMIG / OIG
![Page 13: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/13.jpg)
A continuous stream of communication
Sharing of Compliance efforts
The Board assistance of the Compliance Officer
Potential Board Solution
![Page 14: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/14.jpg)
Passed December 18, 2013 effective date July 1, 2014!
Addresses the growing concerns in the NFP industry! (Target)
Main Components of the Act:
o Mandatory Audit Committee or Board Audit Function Kickbacks.
o Mandatory Whistleblower and Conflict of Interest policies
o Other areas in the Act involve
Document everything
Not For Profit Revitalization Act
![Page 15: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/15.jpg)
Does the board of directors need to approve ALL policies and procedures?
If not, what type of policies MUST have board approval?
Is annual compliance training required for the board of directors or is it best practice?
What training MUST board receive on an annual basis?
Is annual defined as “within 365 days” or is there some leeway, such as 13 months?
In the compliance audits conducted by the OMIG or other regulatory agencies, of which the OMIG is aware, what are some practical tools used by compliance officers /organizations to get board engagement?
OMIG FAQ’s Targets Boards
![Page 16: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/16.jpg)
In successful businesses Boards need to set the
Tone from the Top!
What does that mean?
o Communicate to Management
o Insure Ethical behavior
o Provide Support
How Can Boards HelpManagement?
![Page 17: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/17.jpg)
Where is your Compliance Officer in the Food Chain?
Compliance Officer position is more critical in 2014!
The Board should know the Compliance Officer!
The Board should know the Compliance Committee!
A Board members should sit on the Committee!
Boards and Their ComplianceOfficer
![Page 18: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/18.jpg)
Charities Bureau:
o Effective February 1, 2014 the new head of the Charities Bureau (CB) is James Sheehan former head of the Office of the Medicaid Inspector General. One of his many charges will be the implementation of the NFP Revitalization Act.
o How does that affect the Board and Compliance Officer relationship?
The Compliance OfficerNew _ _ _ _ _
![Page 19: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/19.jpg)
Facilitate Candid conversation at the Board and C-Suite
Develop ethical leaders
Build ethical leadership incentives
Train everyone in the organization starting with the Board
Form a Compliance Committee that will assist the CCO
Assess the organization risk areas
CCO has an independent voice
Chief Compliance OfficerResponsibility
![Page 20: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/20.jpg)
Governance Involvement
Compliance Committee Meetings
Continuous Compliance Education of Staff
Annual Risk Assessment by Departments
Work Plan Update
Auditing and Monitoring Program Internally and Externally
Reporting to Governance
Current Practices
![Page 21: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/21.jpg)
The function of the Bureau of Compliance is to insure providers of Medicaid services have an effective Compliance program in place.
They enforce the year-end certification of compliance programs.
“The goal of these reviews is to assess if providers have compliance programs that meet the requirements of applicable laws, regulations, rules and policies of the Medicaid program” per their introduction letter.
OMIG Bureau of Compliance
![Page 22: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/22.jpg)
Contact information of the Compliance Officer
Contact Information Senior Administrative Official
Document Request
Compliance Officer information
Copy of the Organization Chart
Bureau of ComplianceRequest
![Page 23: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/23.jpg)
The turn around time is usually 1 week.
They want to see:
o Minutes of the Compliance Committee
o Training conducted with staff
o A work plan that identifies the risks identified
o A summary of reviews performed
o Reporting to Governance
Bureau of ComplianceReporting
![Page 24: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/24.jpg)
Schedule a site-visit
Purpose:
o Meet with a member of Governance
o Speak with Management
o Discuss with the Compliance Officer what their role is
o Perform a walk around
Bureau of ComplianceFollow-Up
![Page 25: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/25.jpg)
Year-end Certification is backed up
The Bureau in their review always finds something
A Discussion Draft is issued
No submission, a final letter is issued
The Bureau suspects lax and non-adherence to compliance
What Happens If …?
![Page 26: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/26.jpg)
Review existing Compliance Plan Documentation
Conduct a review of all supporting policies and procedures
Conduct a comprehensive self-assessment of the program
Prepare an updated work plan on the risk areas identified
Report on a quarterly basis on reviews performed
Compliance Summary
![Page 27: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/27.jpg)
The Final HITECH Regulations went into effect on March 26, 2013. DHHS is allowing Covered Entities (“CEs”) and Business Associates 180 days to come into compliance. This means, unless otherwise noted, CEs and Business Associates must be compliant by September 23, 2013.
The Date has Passed!
Other Piece of ComplianceHIPAA
![Page 28: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/28.jpg)
So now you see the Circle of Life as seen by the OMIG!
o Governance
o Management
o Compliance Officers
You know we are there for You…
Nervous Yet or Relieved?
![Page 29: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/29.jpg)
The Breach Notification Requirements
Business Associates
Privacy Notice Changes
Marketing / Fundraising / Sale of Protected Health Information (PHI)
Various Miscellaneous Privacy Provisions
Enforcement and Penalties
MEGA Rule - Impact
![Page 30: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/30.jpg)
46% loss is of laptops with PHI
42% loss due to employee mistakes or unintentional action.
Effectiveness training is questionable
OCR Study on Breaches
![Page 31: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/31.jpg)
Do you have a Social Media Policy?
Limit access from devices to critical systems
Require the user to read/sign an acceptable use policy
Limit or restrict the download of PHI
Scan devices for viruses/malware software
Require anti-virus/anti malware prior to connection
Scan devices removing apps that present a security threat
Mobil Devices
![Page 32: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/32.jpg)
Steps to prepare for it:
o Conduct a security risk assessment and privacy review
o Identify PHI locations throughout the organization
o Create a work plan to mitigate top risks identified
o Ensure Business Associate agreements up to date
o Update policies and procedures for HITECH rule
o Appropriately assign an Officer to oversee
Compliance with HIPAAStandards
![Page 33: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/33.jpg)
Recently Skagit County signed off on the CAP after paying $215,000 settlement:
A three year program
HHS must approve policies and procedures
o Breach Notification policyo Accounting for Disclosureso Hybrid Entity Business Associate Documentationo Security Management Processo Update all policies for Federal complianceo Provide Training for all workforce and certify performanceo Reportable events if any workforce member does not comply with
these requirements
OCR Corrective Action Plan
![Page 34: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/34.jpg)
Annually a Report is submitted NLT 60 days after signing date of CAP containing summary of security mgt., reportable events and attestation by an officer of the County
Institute a document retention requirement for 6yrs.
OCR Corrective Action Plan
![Page 35: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/35.jpg)
What are your HIPAA goals?
Meet compliance
Mitigate risk
Improve your security posture
Evaluate your team’s response capabilities, all good responses.
HIPAA Goals / Questions
![Page 36: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/36.jpg)
However, pretend for a moment you have completed an assessment what are some questions to ask yourself:
What do you hope to show management when reporting results?
Is there something you are trying to prove?
Do you need to test your external network devices?
Are you looking for a thorough review of your web applications?
Do you want to test the security culture of your organization?
Do you have a specific technical area of your environment you need to evaluate that you don’t have the right skillset in-house for?
HIPAA Goals / Questions
![Page 37: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/37.jpg)
Forward looking Boards must remain:o Vigilant
o Energetic,
o Wary of bad habits.
o Objective
o Built on Ethics and Culture
Successful boards will be those that work in the spirit of continuous improvement at every meeting, while always keeping the long range goals in mind.
By creating forward thinking Boards, organizations can avoid the failures and potholes discussed today.
Summary
![Page 38: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/38.jpg)
Building a real, substantive compliance and ethics program will demonstrate to the government, shareholders, employees, rating agencies, and others that your company is indeed, committed to integrity.
Summary
![Page 39: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/39.jpg)
VACCINE
![Page 40: Governance & Total Compliance](https://reader030.vdocuments.net/reader030/viewer/2022012922/56814790550346895db4c1f0/html5/thumbnails/40.jpg)
For more information…
David M. RottkampPartner, Not-for-Profit Practice Leader
Alfonso P. ContiHealthcare Management Consulting Manager
Grassi & Co.516-336-2471