WIXLIB

Compliance Program Start Up: What are theBasics Needed for your Infrastructure?Debbie Troklus, CHC-F, CHRC, CCEP-F, CHPC, CCEP-ISenior Managing Director, Ankura ConsultingSheryl Vacca, CHC-F, CHRC, CHPC, CCEP-F, CCEP-ISVP/Chief Risk OfficerProvidence St. Joseph Healthwww.hcca-info.org 888-580-8373What is a Compliance ProgramA program which: Utilizes tools to prevent and/or detect violations of law or policy Defines expectation for employees for ethical and proper behaviors whenconducting business Demonstrates the organization’s commitment to “doing the right thing” Encourages problems to be reported Provides a mechanism for constant monitoring Promotes an ethical culturewww.hcca-info.org 888-580-837321

Why are Compliance Programs Important? Promotes the organization’s mission, vision and values Promotes a Culture of trust and credibility Promotes management accountability Increase awareness throughout the organizationwww.hcca-info.org 888-580-83733Five Practical Tips for Creating A Culture of Compliance* Make compliance plans a priority NOW.Know your fraud and abuse risk areas.Manage your financial relationships.Just because your competitor is doing something doesn’tmean you can or should. Call 1-800-HHS-TIPS to reportsuspect practices. When in doubt, ask for help.*Health Care Fraud Prevention and Enforcement Action Team (HEAT) OIGwww.hcca-info.org 888-580-837342

BOIESAFEMANCTAATTTBOLMSCERTFHAOIAExample of RelevantRegulatoryBodiesfor ComplianceMattersACCOVAEOPRUS Department of AOTOSHSCISDNDOMDAAFPBDHRLNSCEAONIOSH USFAOMEWBVBAENRDOMPRIMAOCIOOIPNSATDAFHACNCS A BECAOIRADTRAOPDFAANMMROPAATFOLAFDICBOEM OIS BAUSGS NAGBSTDNIHETA EACOSCNEHHSSEDIPTOOIAGHS DARPAOAD OIA LDMOSTPNPSOVAWUSPSEBSA OPEOEPOCRFCCOMROTFISAMHSACRCDCFPS OSOJSODNIOFPMJC FECNAEPOCIR PRAOOSOCIONCHSArmyIHSARPACCDOCOPSBOBOCROOWMDBCorp EngNPPDNARA BISNOWCP NISTTTONSFICEORBPMAFHFAFERCMSHASPBDNLRB OGC OCRONDCPOCONDICIARPAPBGCNLTCUS-VISITPHSODEPOSHC OASAMEDBSEEAIMPESDUSDAUS SentencingDCMATDOIACommissionNSD BIIPNIJFWS OCCNRCCBD OAAGONLOSHAOSHRCBSRMACopyright BTSAAPIPHSCCCDNCICODFOLCAFMCFSA OCFOH OWRA FSI FRTIBRITAOLAHSACOPCL HFDCDCNROFMCSNIDRRSSSRSAFoundationOSEPFRSTESD www.hcca-info.orgPEO-CIEDOISERIRS OCC 888-580-8373OUPNTSBOSERS HSSAIOSDBUIFRPDBMSD FTA NFIPOALJOCFOOSGBR5DON’T START FROM SCRATCHwww.hcca-info.org 888-580-83733

OIG Guidance Voluntary DisclosureHospital & SupplementLaboratoryHome HealthThird Party BillingDMEHospice Medicare ChoiceNursing Facilities & SupplementAmbulancePharmaResearch (draft)Physician Practicewww.hcca-info.org 888-580-83737OIG – Practical Guidance for Health Care Governing Boards onCompliance Oversight - 2015“A Critical element of a effective oversight is the process of askingthe right questions .”www.hcca-info.org 888-580-837384

OIG – Measuring Compliance Program Effectiveness: A ResourceGuide - 2017Provides ideas on elements of effectiveness and how to measurewww.hcca-info.org 888-580-83739Other Resources Compliance 101 The Health Care Compliance Professional’s Manual with QuarterlyUpdates The HCCA HIPAA Training Handbook, third edition Health Care Auditing and Monitoring Tools Compliance and Ethics: An Introduction for Health CareProfessionals 501 Ideas for Your Compliance and Ethics Program: Lessons from 30years of practice InternetMany others .www.hcca-info.org 888-580-8373105

Untied States Sentencing Guidelines Effective November 1, 1991 Revised November 2004 and 2010 Control sentencing of organizations for most federal criminal violations Sentencing credit for “effective programs to prevent and detect violations oflaw”www.hcca-info.org 888-580-8373112004 and 2010: FSG Amendments 2004- Corporate Responsibility and Transparency 2010- Gave insight into what an effective compliance program should looklikewww.hcca-info.org 888-580-8373126

Nov. 2010: FSG Amendment 744You can get credit for having an effective program, provided you meet thenew criteria: the head of the compliance program must report directly to the governingauthority or appropriate subgroup, the compliance program must discover the problem before discovery outside theorganization was reasonably likely, the organization must promptly report the problem to the government, and no person with operational responsibility in the compliance program participatedin, condoned or was willfully ignorant of the offense.www.hcca-info.org 888-580-837313Seven Elements of an Effective Compliance Program (paraphrased)1. Standards and Procedures2. Education and Training3. Oversight4. Monitoring and Auditing5. Reporting6. Enforcement and Discipline7. Response and PreventionRisk Assessment and Effectiveness Assessments are not considered part ofthe elements for FSG but are critical to a program’s successwww.hcca-info.org 888-580-8373147

Standards, Procedures and Code Code of Conduct– Simple, short and separate from policies and procedures– Provide to all new employees, staff and vendors and during annual compliance training– Outline employee expectations in ‘plain’ English– Post prominently – posters and/or intranet– Use of attestations– Consider putting code in other languageswww.hcca-info.org 888-580-837315Standards and Procedures Policies and Procedures– Assure that you are not writing policies that should be in the management arena– Senior leadership endorsed/approved including Board– Follow institutional template– Periodically reviewed and revised– Responsible party is defined.– COMPLIANCE DOES NOT OWN ALL POLICIES– Education is provided to all affected staff– Ongoing evaluation/revision– Do not duplicate what might be already in placewww.hcca-info.org 888-580-8373168

Compliance Independence“OIG believes an organization’s Compliance Officer should neither be counselfor the provider, nor be subordinate in function or position to counsel or thelegal department, in any manner. While independent, an organization’s counseland compliance officer should collaborate to further the interests of theorganization. OIG’s position on separate compliance and legal functions reflectsthe independent roles and professional obligations of each function.”Practical Guidance for Health Care Governing Boards on Compliance Oversight, OIG, April2015www.hcca-info.org 888-580-837317OIG: Practical Guidance for Health Care Governing Boards on ComplianceOversight The Compliance Function – prevention, detection, andassuring resolution of actions. The Legal Function – advises the organization on legaland regulatory risks, defends the organization. The Internal Audit Function – provides an objectiveevaluation through the existing risk and internal controlsand framework. The HR function – manages recruiting, screening, andhiring, provides training and development. Quality Improvement – promotes consistent, safe, andhigh quality practices.www.hcca-info.org 888-580-8373189

Investigatewithoutduplicationof effortIdentifycompliancerisksIdentify unctionsCommunicatebetween variousfunctionsthroughout theprocess19www.hcca-info.org 888-580-837319Governance Process and Oversight Oversight group – board andcommittees of the board Stewardship group – executivemanagement Dual role of stewardship ofresources allocated by boardand accountability of resultsof operations Performance group –operating and supportmanagement and staff Assurance group – internaland external auditing functionsand compliance*. *compliance may not beconsidered an assurancefunction in some organizations10

Education and Training Role of Compliance Officer in developing Use training to focus on key risk areas Mandatory vs. Voluntary General annual education Focused/specific education Physician training most effective with timely, personalapproach Essential to reinforcing importance of your complianceprogramwww.hcca-info.org 888-580-837321Monitoring and Auditing Define for your institution the difference between auditingand monitoring Leverage existing resources on auditing and monitoringactivities Annual Plan is developed from a risk assessment andincludes reviewing previous audits, monitors and otherpertinent internal and external information Addition of “ad hoc” projects Concurrent vs. Retrospective Sharing results across the organizationwww.hcca-info.org 888-580-83732211

Reporting and InvestigationMechanism to report matters anonymously, ie: hotline Internal vs. external Caller knows how to receive updates and informationrelated to their matter Tracking of investigations and results Reporting to leadership Non-retaliation and participation in investigation policies Confidentiality and Anonymity Use of performance reviews and exit interviews foridentifying potential areas of concernwww.hcca-info.org 888-580-837323Reporting and Investigation (cont) Process for triaging investigations should be defined Considerations for attorney client privilege should be given to high risk and/orsensitive matters Team to conduct investigations should be defined Investigators should be trained in procedures related to interviews, objectivemethodologies and forensics, where applicable Investigations are confidential Tracking of investigations and results Reporting to leadershipwww.hcca-info.org 888-580-83732412

Response and Prevention Root Cause Analysis MANAGEMENT CREATES Corrective Action Plans and COMPLIANCE audits and monitorsto assure that the action plan mitigated the risk Prevention– Ongoing Monitoring– Training– Revision of controls to mitigate risk, ie: revise policies and procedureswww.hcca-info.org 888-580-837325Enforcement and Discipline Sanctions for non-compliant behaviors Fair and Consistent OIG Sanctions SAM/OIG/SDN Sanctionswww.hcca-info.org 888-580-83732613

Attorney Client Privilege Protect process and initial data gathering Provides for internal assessment before determiningactions “Waiver of the privilege for the government acts as awaiver for all purposes”www.hcca-info.org 888-580-837327Evaluating for Effectiveness Annual review of compliance program Continual review of policies and procedures––––Are policies being followed?Revisions necessary?AwarenessWho is responsible? On-going risk assessment– Assure risks are being mitigated A dynamic processwww.hcca-info.org 888-580-83732814

Conducting a Risk Assessment1.2.3.4.5.6.7.Defining your Risk Assessment MethodologyIdentification of risksEvaluation/Analysis of risksPrioritization of risksManagement action plans for mitigationReporting/documentationAuditing and monitoring mitigation planswww.hcca-info.org 888-580-837329Key Points for a Compliance Officer to Remember1. It is important that the program be scalable to the resourcesavailable to your organization2. Risk Assessments are your “help” in identifying the organization’svulnerabilities and prioritizing them.3. The program will be in evolution from day 1 so each key element ofthe program will mature based on the time, skill and effort given asyou go.4. Rome was not built in one day compliance programs are also notbuilt in one day.5. Build your framework and design, before responding to issues(which incidentally were probably around long before you were).6. DON’T DO THIS ALONE. Find an organization champion to be themanagement voice to support your efforts.7. Network for “sanity” .Identify peers in the profession who can besafe and independent sounding boards for you.www.hcca-info.org 888-580-83733015