Chapter 4: Evaluation Processes, Investigations, and Noncompliance Response

External Investigations

By Peter C. Anderson,[1] JD, CCEP; Ana-Cristina (Cris) Navarro,[2] JD, CHC; Steve McGraw[3]

Medicare Fraud Strike Force Teams, utilizing the combined resources of federal, state, and local law enforcement entities, continue to investigate healthcare fraud, waste, and abuse at increasing levels. According to the U.S. Department of Health & Human Services Office of the Inspector General (OIG), in only three quarters of 2020, 2,386 criminal actions were launched and 3,075 indictments were rendered, resulting in $3.82 billion in investigative receivables.[4]

There is little doubt that Medicare fraud investigations will increase in the years ahead. In addition to what has been the “business as usual” types of cases, the government will now also be focusing on fraud, waste, and abuse arising out of fund distribution from the Paycheck Protection Program (PPP) and the CARES Act Provider Relief Funds (PRF). Billing fraud (such as hospital upcoding to COVID DRG codes), allegations of medical necessity related to COVID-19, telehealth, defective products (PPE, vaccines, tests), and products covered under the Defense Production Act will be added to the government’s review. Any false information included in PPP and PRF applications is considered a “false claim” under the False Claims Act. Similarly, any misuse of those funds will be investigated. For CARES Act research grants, any failure to comply with regulations and grant conditions, or the falsification of study data, will draw the attention of the Strike Force Teams.

Suspected fraud, waste, and abuse might arise from government audits, whistleblower claims (qui tam), unanticipated problems involving risk and adverse events, or care and quality-improvement audits. Regardless of what ignites an external audit, compliance professionals have the responsibility to lead an organization’s preparation, starting with the proactive work of implementing and sustaining an effective compliance program. The elements of such a program are focused on preventing the issues that may lead to an external investigation; however, the ability to demonstrate that safeguards and practices were in place can help to mitigate the impact of an investigation. We will discuss those preventive steps in this article.

In responding to an external audit, compliance professionals are key in preparing their health systems, hospitals, community health clinics, or other healthcare organizations. Whether responding to a subpoena, preparing a team to respond to government requests, securing electronic and other information records, preparing others in the organization, or preparing the organization for a corporate integrity agreement (CIA), integrity agreement (IA), systems improvement agreement (SIA) (a contract between a healthcare provider and CMS to assist in compliance with the conditions of participation in federal healthcare programs), or other settlement action, the organization’s success in coming out the other side of an investigation can be significantly impacted by the tone and leadership provided by the compliance team. If not managed well, the harm to an organization’s reputation and financial standing could significantly hinder its ability to continue to provide essential services to the community. In some cases, such a loss could be devasting beyond the economic impact on the organization.

This article provides guidance in preventing, responding to, and mitigating the impact of external investigations.

Demonstrating Compliance Program Effectiveness

Compliance guidance and mandates from various government agencies have evolved significantly over the last decade. Just a few short years ago, evidence demonstrating the establishment of a compliance program consistent with the seven elements was viewed as sufficient. Now the focus has shifted from the mere presence of a compliance program to evidence that demonstrates the effectiveness of the compliance program. Regulators are raising the stakes by asking the question, “Can you prove that your compliance program works?”

Specific actions and recommendations help organizations demonstrate the effectiveness of a compliance program. Demonstrating a program’s effectiveness is an important factor for prosecutors when deciding to bring charges or negotiate pleas or other agreements with healthcare providers. DOJ’s Evaluation of Corporate Compliance Programs also states, “Additionally, the United States Sentencing Guidelines advise that consideration be given to whether the corporation had in place at the time of the misconduct an effective compliance program for purposes of calculating the appropriate organizational criminal fine.”[5]

Yet for many organizations, moving beyond a “paper” compliance program to the ability to demonstrate the effectiveness of the compliance program presents significant challenges. These challenges include the following:

  • Lack of resources compounded by tasks requiring manual, labor-intensive processes

  • Existence of multiple, disparate systems for collecting and managing information

  • Lack of ability to view compliance risk across the organization

  • Inability to provide hard data to the regulators as evidence that the organization:

    • Is in full compliance with governing laws and regulations;

    • Proactively monitors for compliance gaps;

    • Initiates measures to remediate gaps and assigns accountability; and

    • Provides up-to-the-minute status reports of assessment results and resulting assignments.

Despite these challenges, the proper tools and processes will help demonstrate the effectiveness of an organization’s compliance program. Ideally, the compliance process should provide global visibility to all compliance activities. The key building blocks include automation of processes, central visibility and control, and proof of compliance for audits. The following are these tools and processes:

  • Automation of processes: Repetitive functions such as reviews and approvals, incident investigations, escalation, and others should be automated; the tasks should be captured with a date and time stamp. Any automation should be designed to augment compliance staff, allowing them to focus more attention on high-value and high-risk activities and reduce manual workloads.

  • Central visibility and control: All information and documentation associated with the compliance program should be stored in a unified repository allowing for easy integration with other governance, risk, and compliance (GRC) information, such as regulatory content, policies and procedures, audits, and corrective action plans.

  • Proof of compliance for audits: Throughout the entire legal and regulatory compliance life cycle, there needs to be a central collection point where all compliance and risk management documents and activities are easily tracked and linked back to their relevant laws, regulations, and standards. This central collection point should serve as a body of evidence of compliance and enable the organization to easily demonstrate proof of compliance for any audit, investigation, exam, or accreditation review. Additionally, an advanced program should have the ability to provide external parties, such as regulators, ready access to the information required by an audit. This capability can be used to enhance credibility by demonstrating a commitment to transparency and cooperation with an open-door approach.

FSGO Elements: How to Demonstrate Effectiveness

Here’s a look at each of the seven elements of a compliance program as outlined in the FSGO and how to collect hard data that clearly demonstrates the effectiveness of a compliance program.

1. Establish Policies, Procedures, and Controls

Organizations must establish standards, procedures, and controls as the primary set (and arguably the most important set) of internal controls. According to the FSGO, these policies and procedures should be reasonably capable of reducing the likelihood of unethical behavior, misconduct, and disregard of laws and regulations. At the heart of this element, there should be a written code of conduct that applies to all employees, delegated entities, and board members.

Here are key requirements needed to demonstrate the effectiveness of this element:

  • Distribute surveys to ascertain if employees understand the policies and procedures related to high-risk laws and regulations, as well as guidelines such as the code of conduct.

  • Collect data regarding gaps in understanding, conflicts of interest, and other policy deviations.

  • Manage corrective actions plans to remediate gaps. Report the status of remediation efforts.

  • Produce reports showing the percentage of code of conduct and policy attestations completed by employees.

  • Perform audits on policies and controls to determine if they have been implemented effectively, especially in high-risk areas.

  • Link policies, procedures, code of conduct, attestations, audits, and corrective actions to specific regulations in a central collection point as evidence of effective compliance management for regulatory audits.

2. Exercise Effective Compliance Oversight

Organizations must involve multiple layers of management in the compliance process with the goal of ensuring the effectiveness of the programs. Designated individuals in each management level must be appropriately knowledgeable about the program. The FSGO imposes specific duties on various levels of management, including the board of directors, senior management, and individuals with primary responsibility for the compliance program.

Here are key requirements needed to demonstrate the effectiveness of this element:

  • Establish compliance committee briefings for the board meetings on a regularly scheduled basis, as well as including compliance as part of the audit committee meetings. Archive the meetings’ agendas, attendance, and discussions.

  • Distribute surveys or assessments to ascertain if employees can identify the compliance officer, and test general knowledge of the compliance officer’s role. Data collected can be scored and analyzed for gaps in understanding.

  • Publish the compliance hotline number and other communication methods to employees via hard-copy postings, on a website, and during routine business communications.

  • Maintain compliance committee meeting minutes and attendance.

  • Set up reports and online executive dashboards for compliance users at each level in the organization to communicate the status of compliance initiatives and ongoing management of issues.

  • Link assessment results, meeting minutes, corrective actions, and other compliance reports to specific regulations in a central collection point as evidence of effective compliance management for regulatory audits.

3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals

Organizations must make reasonable efforts to avoid delegating authority to individuals with a history of engaging in illegal activities or other behavior inconsistent with an effective compliance program. An effective compliance program will provide capabilities for creating, organizing, managing, and communicating policies and procedures related to the hiring and monitoring of employees and vendors. Employees and vendors who are on any sanctions list or who have a known history of problematic behavior should be discovered prior to employment or contract award. The program should also include managing the oversight of vendors and other key business partners with comprehensive risk assessments, surveys for compliance attestations, incident tracking and resolution, and corrective action plan management.

Here are key requirements needed to demonstrate the effectiveness of this element:

  • Define the due diligence screening process codified within the policies and procedures. Distribute these to the appropriate individuals to collect attestations.

  • Store and track due diligence screening reports on business partners and employees as evidence of the due diligence process.

  • Periodically review delegated entities with the same scrutiny as onboarding them for the first time.

  • Manage the investigation and resolution of issues as they arise and show evidence of actions taken.

  • Perform audits on procedures to determine if they have been implemented effectively.

  • Track and report complaints logged and the resolution for each complaint.

  • Link policies, procedures, attestations, business partner screening reports, investigations, audits, and corrective action plans in a central collection point as evidence of effective compliance management for regulatory audits.

4. Communicate and Educate Employees on Compliance Program

Organizations must take reasonable steps to communicate periodically and in a practical manner its standards and procedures and other aspects of the compliance program throughout all levels of an organization, including senior management and the board of directors. Ensuring effective communication and education on the compliance program is an ongoing, multifaceted process. An effective program should have multiple ways to disseminate and reinforce the compliance message throughout the organization. Tactics can include distributing a message from the CEO announcing new or updated policies and procedures, performing assessments after compliance training events, and reporting compliance program information using executive dashboards and reports. Training programs should be designed to be relevant and interesting to the attendees using video-based vignettes, role plays, and real-life current events. Trainings can be a combination of online and live learning.

Here are key requirements needed to demonstrate the effectiveness of this element:

  • Keep track of employee attendance for all company training programs.

  • Identify compliance curricula applicable to the various employee roles.

  • Maintain each employee’s grades/results for every class in which the employee is enrolled.

  • Distribute assessments to employees as a follow-up to compliance training to test general knowledge of the compliance program. Data collected can be analyzed for gaps in understanding.

  • Perform audits on compliance processes and procedures to determine if they have been communicated and implemented effectively.

  • Manage corrective action plans to remediate gaps. Report the status of remediation efforts.

  • Set up reports and online executive dashboards for compliance users at each level in the organization to communicate the status of employee education and the ongoing management of employee training.

  • Link policies, assessment results, audits, and corrective action plans in a central collection point as evidence of effective compliance management for regulatory audits.

5. Monitor and Audit Compliance Program for Effectiveness

Organizations must ensure that the compliance program is followed by employees. They must also create mechanisms for auditing and reporting on the effectiveness of the program. Policies, procedures, and other controls are put in place to help ensure that the organization is managing risk and compliance activities appropriately. But to ensure that they are working as designed, these controls need to be tested as part of an audit plan. An effective compliance program should support the entire audit process, including the management of risk assessments, development of audit plans and associated audits, definition of audit objectives and steps, tracking of audit activities, generation of work papers, development of findings and recommendations, and the management of remediation plans.

Automating scheduled compliance assessments on a quarterly or even monthly basis should enable an organization to closely monitor high-risk areas and assign the necessary remediation tasks and deadlines. Remediation projects should be captured in the system and the data made available via dashboards and alerts to all stakeholders. By providing this level of visibility, managers, executives, and/or board members should be able to monitor relevant information and maintain an always-up-to-date awareness of the organization’s compliance status. Additionally, key compliance areas identified as deficient should be targeted for internal audits.

Here are key requirements needed to demonstrate the effectiveness of this element:

  • Perform risk assessments of compliance processes. Use results to develop audit plans and retain these records.

  • Perform audits on key risks and other key compliance processes and procedures to determine if they are operating effectively.

  • Report findings to the compliance committee. Record in the committee meeting minutes.

  • Manage corrective action plans to remediate issues from findings. Report the status of remediation efforts.

  • Link audit findings and corrective actions to specific regulations in a central collection point as evidence of effective compliance management for regulatory audits.

  • Improve visibility and control by maintaining an internal audit system of record.

  • Manage and track tasks and staff time. Maintain these records in a central location.

  • Track all meetings’ agendas, attendance, and minutes.

6. Ensure Consistent Enforcement and Discipline of Violations

The FSGO indicates that organizations should consistently promote the value and importance of a compliance program. Organizations should reward those actions that demonstrate adherence to an ethical culture and discipline individuals who fail to adhere to the organization’s ethical standards. An effective program should provide each employee with the ability to securely access widely used corporate functions, such as policy searches, directly from the corporate intranet. Additionally, the system should possess the ability to take on the look and feel of familiar corporate applications and adopt the organization’s standards and branding. In other words, it should be easy to use and intuitive for the casual user.

Rewards and disciplinary policies should be drafted and then circulated (using workflow automation) for review, edit, and final approval. Once enforcement policies are finalized, workflow should automatically distribute the policies to all relevant parties. The compliance assessment capabilities previously described should be used to identify compliance gaps and assign remediation tasks and deadlines.

Additionally, the program should capture and store a variety of reportable events or “incidents” to help ensure enforcement after an incident occurs. Enforcement actions and other follow-up tasks related to each incident should be assigned and centrally monitored to ensure proper follow-through. As previously mentioned in the other elements, surveying functionality should support dissemination of questionnaires related to key elements of the compliance program. For example, once a year, each employee may be scheduled to receive a survey that promotes the organization’s compliance program. The survey would likely request an attestation regarding the reading and understanding of the materials along with questions used to confirm the attestation.

Here are key requirements needed to demonstrate the effectiveness of this element:

  • Announce compliance program “wins” on executive dashboards and individual user home pages. Use this method to promote the effectiveness of methods that are used to prevent and detect wrongdoing.

  • Track and store compliance-related incident information and track the progress of investigations.

  • Conduct surveys to determine if employees believe that the organization treats all wrongdoers consistently and fairly.

  • Link investigations, disciplinary actions, and survey results to specific regulations in a central collection point as evidence of effective compliance management for regulatory audits.

  • Establish a central repository for full life cycle management of policies and procedures, including authoring, approvals, version control, audit trail, and archives.

  • Distribute new and revised policies and compliance assessments to all relevant personnel via an easy-to-use and familiar system/process.

  • Confirm attestations, identify gaps, and initiate remediation tasks.

  • Link survey results and follow-up actions to their related laws and regulations.

  • Monitor surveys, results, and follow-ups.

7. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents

Organizations must take appropriate investigative actions in response to suspected compliance and ethics violations. Organizations should also take appropriate steps to preserve the confidentiality of investigations. An effective program should have a management process for compliance incidents and allow for specific processes and teams to be automatically informed based on the type of incident with activities routed to the necessary parties at the appropriate point in time. Personal tasks should be automatically assigned and tracked for each investigation. An effective program should track due dates and timelines, sending alerts when key milestones are in jeopardy of being missed.

Here are key requirements needed to demonstrate the effectiveness of this element:

  • Track the investigation of potential violations and resolution of issues as they arise and show evidence of corrective actions.

  • Execute and archive reports on the number of reported violations, ongoing investigations, and corrective actions.

  • Perform follow-up audits of key compliance processes and procedures to determine if corrective actions are effective in preventing future incidents.

  • Develop a corrective action plan, which may include remedial or additional training for areas of concern.

  • Report investigation findings and corrective actions to the compliance committee. Record in the committee meeting minutes.

  • Link investigations, corrective actions, and audit results to specific regulations in a central collection point as evidence of effective compliance management for regulatory audits.

In addition to addressing the seven elements of effective compliance and ethics program, it is equally important for organizations to maintain the ability to demonstrate the effectiveness of their compliance program with supporting evidence. Regulatory audits of compliance programs have shifted from a focus on program existence to the demonstration of program effectiveness. The failure to demonstrate effectiveness of a compliance program can result in an increased risk of fines and sanctions based on audit findings, as well as significant overhead costs and losses in productivity during exams and audits.

Beyond the potential benefits related to prosecution and conviction, the key attributes within the FSGO have become widely used by organizations seeking to proactively establish effective compliance and ethics programs.

Organizations looking to prove that they have an effective compliance program should recognize that the data-capturing requirements are quite extensive. As a general rule, if it can be measured, then the information should be captured, stored, and recalled in a relevant manner.

This document is only available to subscribers. Please log in or purchase access
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings