PYA Webinar: “Additional Expansion of Medicare Telehealth Coverage During COV...
Compliance
1. Compliance Effectiveness Assessments
Page 0
September 3, 2014
Georgia Hospital Association
Compliance Officers Retreat
Compliance Effectiveness Assessments
September 3, 2014
Shannon Sumner, CPA
Prepared for Georgia Hospital Association
Compliance Officers Retreat
Principal
2. Page 1
Presentation Objectives
• Leading Practices in Compliance Programs
• Self-Assessment Process
• Highlight Leading Practices in the Seven
Elements
• Self-Assessment Resources
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
3. Page 2
Audience Questions –
• New to Compliance Role (less than 1
year)
• In Honeymoon Phase (1-3 years)
• In Formative Years (4-5 years)
• Hitting Your Stride (6-10 years)
• Been There, Done That (>10 years)
September 3, 2014
Compliance Effectiveness Assessments
Experience
Prepared for Georgia Hospital Association
Compliance Officers Retreat
4. Page 3
Audience Questions –
Size of Compliance Team
• Me, Myself, and I (1 person)
• Just the Two of Us (2 people)
• See No Evil, Hear No Evil, Speak No Evil (3
people)
• We are Family (4-5 people)
• Seriously? (>5 people)
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
5. Audience Questions – Duties
Page 4
• Vanilla - Compliance Only
• Swirl - Internal Audit and Compliance
• Rocky Road - Everything!!
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
6. Hospitals must address employee fraud
reports with procedural fairness
Page 5
September 3, 2014
Compliance Effectiveness Assessments
Headlines
Prepared for Georgia Hospital Association
Compliance Officers Retreat
7. Page 6
Self-Assessment Process
• There is not one single best Compliance
Assessment Tool!
• Collaborate with Internal Audit where possible.
• Partner with another Compliance Officer – peer
review.
• Recommend Scoring Tool:
- Facilitates Education and Training.
- Facilitates Trending by Area.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
8. Page 7
Key Questions to Ask
• How would you rate your own Compliance Program (Scale 1
– 5, 5 Highest)?
• When was the last time your Compliance Program was
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
audited?
• Have you called your organization‘s Compliance Hot Line?
• If someone in your organization is asked “Who is the
compliance officer?” would they know what to say?
• Does your Audit/Compliance Committee ask tough
questions? Is it engaged?
• Are you aware of (maintain a listing) all outsourced services
and vendors?
9. Page 8
Key Questions to Ask
• Are you aware of all of the joint ventures within your
organization?
• Are you copied on all internal audit reports?
• Does your organization have a Fraud Policy and
investigation protocol?
• Are you involved in exit interviews for all senior executives
and other high-risk areas?
• Do you receive a copy of the external audit Management
Letter Comments?
• How comfortable are you that all Conflicts of Interest have
been disclosed by Management, Governance, and
Physicians?
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
10. Page 9
Effectiveness Red Flags
• The Compliance Work Plan has a lot of “Plan to…” line items
• Little to no Hotline Activity
• No history of Compliance Effectiveness Assessments by outside parties
• No questions are asked by Compliance/Audit Committee members
• Auditing error percentages consistently high (>5%)
• Compliance Risk Assessment is conducted in a vacuum
• The Compliance Officer is not aware of the organization’s risk appetite/tolerance
• The Compliance Team has not received compliance specific education
• Action plans are consistently past due
• Risks identified through risk assessment are not addressed (internally or
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
externally)
• Compliance is not advised of what may appear to be “routine” thefts or other
human resource issues
11. What is a “Leading Practice?”
Page 10
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
12. Boards May Use Compliance as a Defense Strategy; Feds
Expect More Oversight
“Board members are increasingly entering the compliance fray, and
five years from now compliance will have the same level of board
oversight as the organization’s finances, a former federal prosecutor
says. As regulators, prosecutors, stockholders and other
stakeholders demand more from boards, they are asking
management, including compliance officers, for more evidence that
the compliance program is accomplishing its goals instead of merely
rubber-stamping reports.” – Report on Medicare Compliance, August
4, 2014
Page 11
High Level Oversight
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
13. Page 12
I - High Level Oversight
Compliance Officer (CO) is not
a member of senior
management and does not
have access to the Board of
Directors. This could
jeopardize the effectiveness of
the Compliance program.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
CO Reports Directly to the
CEO or equivalent (i.e.,
President) and has unfiltered
access to the CEO.
Organization must
demonstrate that the CO’s
reports reach the CEO.
Lack of management
understanding, involvement, and
support of the compliance
program – an organizational
culture that does not put a
priority on compliance.
Industry Best Practice – The
CEO’s incentive compensation
is tied to the effectiveness of
the compliance program.
14. I - High Level Oversight (Con’t)
Page 13
Risk areas within the
organization go undetected.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
Industry best practice - The
compliance risk assessment
is part of a broader
enterprise-wide risk
assessment that includes
input from departments such
as internal audit, legal,
quality, IT, risk management,
etc. to ensure adequate
coverage.
Industry best practice - The
risk assessment includes the
potential for fraud.
15. I - High Level Oversight (Con’t)
Page 14
Governance’s lack of support and
knowledge of the Compliance
Program.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
The Audit Committee has at least one
member knowledgeable of healthcare
compliance. The activities of the Audit
Committee are reported to the full Board and
the Compliance Officer presents at least an
annual report to the Board.
CMS Best Practice – Governing Body
Resolution supporting the Compliance Program
and adherence to compliant, lawful, and ethical
conduct. CO has executive session with the
Board (without the CEO Present) on an
annual basis.
Assessments include feedback from the Audit
Committee Chairperson, CEO, and CO
regarding the completeness of the compliance
reports, the knowledge of committee members,
the appropriateness of the committee
discussion.
16. II - Policies and Procedures
Page 15
Lack of policies and procedures that
document the framework of the
compliance program jeopardizes the
effectiveness of the compliance
program, and could lessen the ability
to demonstrate to regulatory bodies
the presence of an effective
compliance program.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
Assess the extent to which policies
and procedures are written clearly and
include “real-life” examples.
If Conflict of Interest disclosure
statements are not obtained from each
trustee, officer, Board or other committee
member and key management and
employees, unidentified conflicts of
interest could exist that could
compromise, or appear to compromise
judgment.
Review minutes of meetings from the
appropriate governance body for the past
12 months to determine whether
conflicts of interest were disclosed in
accordance with policies and/or
procedures.
17. II - Policies and Procedures (Con’t)
Page 16
Departments that are impacted by
regulatory changes are not aware
of them which results in denial of
claims and potential allegations of
false claims.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
There are documented
mechanisms to monitor regulatory
updates, including National
Coverage Determinations (NCD)
and Local Coverage
Determinations (LCD) and
communicate them to the
associates and medical staff
members impacted by them.
Associates might leave the
organization with knowledge of
potential compliance issues and
subsequently become whistle-blowers.
If exit interviews are completed for
any associates, there is at least one
question regarding knowledge of
potential compliance exposure and a
mechanism to inform the CO if any
are identified.
18. Open Lines of Communication
Page 17
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
19. III - Open Lines of Communication
Page 18
Compliance issues could
be occurring without
being reported to
management.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
Volumes of reports
received are tracked and
compared to prior periods
and to industry norms.
A leading practice is to have
the capability of reporting to
the hotline anonymously on-line.
Exit interviews are
conducted by the CO for
high-risk/leadership
associates.
20. IV - Training and Education
Page 19
New associates lack understanding of the
compliance program and their related
rights and responsibilities.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
CMS Best Practice - Mechanism to
measure effectiveness of training.
Industry Best Practice – Compliance
Quizzes provided to Physicians/Medical
Staff .
CMS Best Practice - Training is provided in
various formats to keep associates engaged
(in person, on-line, games, etc.).
Industry Best Practice - Connect headlines
and case studies to real issues within
organization.
Industry Best Practice - Demonstrate linkage
between organization’s strategies and a
strong ethics and compliance program.
21. IV - Training and Education (Con’t)
Page 20
Medical Staff lack understanding of the
compliance program and their related
rights and responsibilities.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
Compliance education and information
specific to regulatory changes that directly
impact them is routinely provided to the
Medical Staff.
Compliance department staff are not kept
current regarding compliance risk areas or
leading practices for compliance programs.
Compliance department staff attend
conferences and webinars, subscribe to
publications and the OIG’s email list, monitor
the OIG’s website, and network with peers to
stay up-to-date and get ideas.
Governance lacks understanding of the
compliance program and its related rights and
responsibilities.
Compliance education and information specific
to the entity’s compliance program is provided
to Board members at least once every 24
months and the Board Audit Committee, if
applicable, at least annually.
22. V - Monitoring and Auditing
Page 21
False claims could be submitted if
auditing and monitoring by
qualified independent auditors
does not occur.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
CMS - The compliance plan must
include an independent
assessment of the compliance
program and be shared with the
Board.
CMS - The auditing/monitoring
element must include “first tier”
entities. This includes entities
where the organization has
outsourced key elements of its
processes (i.e. billing, collections,
quality, safety).
23. VI - Response to Deficiencies
Page 22
Responses to deficiencies
do not effectively address
the deficiencies.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
Periodic reviews of problem
areas were conducted to
verify that the corrective
actions successfully
reduced or eliminated
existing deficiencies.
Deficiencies are not addressed
on a timely basis.
Corrective action plans are
implemented within agreed-upon
timetables.
24. VII - Consistent Enforcement
Page 23
Inconsistent disciplinary or other actions
are taken in response to compliance
policies.
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
CMS – Must maintain evidence of
disciplinary action for a period of 10 years.
• Date violation reported
• Description of violation
• Date of investigation
• Summary of findings
• Disciplinary action taken
• Date disciplinary action taken
CMS – If the HR function is responsible for
conducting disciplinary actions there must
be a formal process for communicating with
the CO on actions taken.
CMS - Publish de-identified disciplinary actions
taken to demonstrate that the Sponsor acts on
violations of the Standards of Conduct.
25. Self-Assessment Resources
Page 24
https://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-
Audits/Downloads/Compliance-Program-Effectiveness-Self-Assessment-Questionnaire.pdf
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
26. Self-Assessment Resources
Page 25
http://oig.hhs.gov/compliance/compliance-guidance/
September 3, 2014
Compliance Effectiveness Assessments
docs/Health_Care_Directors_Compliance_Duties.pdf
Prepared for Georgia Hospital Association
Compliance Officers Retreat
27. Self-Assessment Resources
Page 26
Health Care Compliance Association
http://www.hcca-info.org
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
28. Page 27
Questions?
September 3, 2014
Compliance Effectiveness Assessments
Prepared for Georgia Hospital Association
Compliance Officers Retreat
29. Page 28
Shannon Sumner, CPA
ssumner@pyapc.com
September 3, 2014
(865) 673-0844
Compliance Effectiveness Assessments
Thank You!
Principal
Prepared for Georgia Hospital Association
Compliance Officers Retreat