ComplianceGuidelinesUploaded6.14PDF

COMPLIANCE PROGRAM
GUIDELINES FOR MEDICARE ADVANTAGE
AND NEW YORK MEDICAID HEALTH PLANS
by Paulette Wunsch
April 15, 2016

COMPLIANCE PROGRAM
TABLE OF CONTENTS
Page
I.
OVERVIEW AND GOALS OF A COMPLIANCE PROGRAM............................. 1

II.
STRUCTURE AND GUIDELINES OF THE COMPLIANCE PROGRAM .......... 4

A.
ELEMENT 1: WRITTEN POLICIES AND PROCEDURES......................................... 4

B.
ELEMENT 2: DESIGNATION OF A COMPLIANCE OFFICER; COMPLIANCE
AND RISK STRUCTURE AND GOVERNANCE ....................................... 7

C.
ELEMENT 3: TRAINING AND EDUCATION ............................................................ 10

D.
ELEMENT 4: COMMUNICATION LINES TO COMPLIANCE ................................ 15

E.
ELEMENT 5: DISCIPLINARY POLICIES AND PROCEDURES .............................. 18

F.
ELEMENT 6: ROUTINE IDENTIFICATION OF COMPLIANCE RISK AREAS .... 20

G.
ELEMENT 7: RESPONDING TO COMPLIANCE ISSUES ⎯ REMEDIATION AND
SELF-DISCLOSURE ............................................................................... 26

H.
ELEMENT 8: POLICY OF NON-INTIMIDATION AND NON-RETALIATION ..... 28

COMPLIANCE PROGRAM
1
I. OVERVIEW AND GOALS OF A COMPLIANCE PROGRAM
The importance of having an effective compliance program will be discussed throughout
the guidelines. The origins of an effective compliance program come from the U.S. Sentencing
Guidelines. The U.S. Sentencing Guidelines are used by federal judges when they are
determining what penalty to impose on a company that has been charged with a federal crime.
Since having an effective compliance program, allows a judge to impose a lesser penalty or a
sentence on an entity, it makes good business sense to invest in one∗
. (USSG Section 8B2.1). In
New York, the Office of Medicaid Inspector General (“OMIG”) requires payers and providers
that receive Medicaid dollars to certify annually to having an effective compliance program.
Effectiveness requires more than a ‘check the box’ program, but a program embedded into the
culture of the company. A remarkable aspect of the program is it does not matter if the business
is a securities broker or a restaurant or a health plan, the elements apply universally and when put
into place effectively, the evidence supports that they do protect the company from fraud, waste
and abuse occurring as well as brand and reputational harm in the marketplace. In New York,
the OMIG added one element to the seven elements prescribed by the U.S. Sentencing
Guidelines and that is the policy of non-intimidation and non-retaliation. The element is in the
first element of the U.S. Sentencing Guidelines version, however, to recognize its importance the
OMIG decided that it should stand on its own. Within each element there are many processes
and some may need improvement, but if in aggregate the processes are compliant then that
element can be satisfied. However, if there is a failure of any one element to be effective that
will cause the entire program to be ineffective. A program that has all the elements in place, but
lacks a culture of compliance, cannot be effective. It is further recommended that the entity
adopt a values-based system rather than rules-based one, so that ethical decision-making is part
of the program.
Why?
• Without a culture of compliance, any policy could be viewed as something to work
around or something to be ignored.
• Without an ethical framework for resolving issues, the program is left with only rules
to follow. That is a problem because no Code or set of policies can anticipate every
scenario that might occur, so there simply may not be a rule in place to turn to. The
∗
It goes without saying that having an effective compliance program can be a competitive
advantage as new customers seek out an entity with an excellent reputation. LRN’s 2016 “How
Report” provides data to support this assumption. They view the lens through three types of
organization: 1.blind obedience; 2.informed acquiescence and 3.self-governance, the last
category is where the staff is inspired by the values-based ethics of the organization and culture
of true non-retaliation, and what was found is that these self-governing organizations are centers
of innovation and creativity and have gained market share over the others and continue to grow.
(www.LRN.com)

COMPLIANCE PROGRAM
2
entity should instead train its employees to use a decision-making framework that will
prevent them from proceeding with an action even if it may not be a violation of a
written rule, but could cause harm to the entity, its stakeholders and to the employee.
To that end, a comprehensive compliance program should ensure that both legal and
ethical conduct is an integral part of the organization’s culture and operations.
The expectations and standards of conduct of the compliance program should be set forth
in the Code of Conduct which should embed and link to the compliance policies and procedures.
The Code of Conduct should be reviewed annually and updated when necessary. The
Board of Directors should formally resolve (in a “Resolution”) to annually review and approve
the Code of Conduct. A periodic re-fresh of the Code of Conduct allows it to reflect the latest
issues that staff has had questions about and a new format can make annual training more
engaging.
The compliance program should align with the eight elements as described below in this
illustrative depiction.

COMPLIANCE PROGRAM
3
The following is a brief description of how each element can be designed, structured and
implemented to make it effective.

COMPLIANCE PROGRAM
4
II. STRUCTURE AND GUIDELINES OF THE COMPLIANCE PROGRAM
A. ELEMENT 1: WRITTEN POLICIES AND PROCEDURES
1. The Code of Conduct. The Code of Conduct should provide an overview of the
compliance program. It provides the standards for legal and ethical conduct; describes
compliance expectations; implements the operation of the compliance program;
provides guidance to staff and others on dealing with potential compliance issues and
potential fraud, waste and abuse (“FWA”); identifies how to communicate and report
compliance and FWA issues; provides guidance through a question and answer
section of the type of ethical questions that arise in the entity; and describes how
potential compliance problems and FWA are investigated and resolved.
Tips on Drafting a Code:
• Make it readable: Sixth grade reading level is recommended by the experts (i.e.,
not child-like, but clear, concise and precise language, the entity may have
employees whose primary language is not English).
• Add in “Questions and Answers” that relate to the company: Take some examples
from the hotline complaints and de-identify them.
• Provide red flags: Things to look out for in helping to detect FWA.
• Add in pictures: Some Code’s use pictures of employees like a yearbook or
themed purchased pictures.
• Make each section an embedded link so staff can get to their question without
having to spend too much time searching for it. That way it becomes a ‘go to’
guide sitting on their computer desktop.
• Make the annual training or a message around launching a new or updated code
memorable: Use of humor causes people to talk about it, spread the word and
promotes retention.
• Distribute it via e-mail or in hard copy to new hires, and all staff, Board members,
and others delegated to assist the health plan that the Centers for Medicare and
Medicaid Services (“CMS”) refers to as first tier, downstream and related entities
(“FDRs”) upon an update.
• Make it visible and accessible on the website. It should be no more than one click
away from the landing page or, ideally, on the landing page right under “Who we
are”. Below it should be placed a link to the hotline and/or the special

COMPLIANCE PROGRAM
5
investigation unit’s (SIU) intranet referral link and a telephone number to key
compliance personnel.
• It needs to embed in it the basic FWA and Privacy statutes:
− False Claims Act (State and Federal statutes)
− Health Care Fraud (State and Federal statutes)
− The Anti-Kickback Act(s)
− Foreign Corrupt Practices Act
− Commercial Bribery
− Antitrust and Securities violations
− HITECH and HIPAA penalties
− The Whistleblower protection statute(s)
• As well as the risk areas:
− conflicts of interest, gifts and entertainment, work place behavior
(harassment), confidential and proprietary information, marketing, accurate
record keeping, procurement, use of corporate assets, record retention,
relationships with government employees, among other areas. If the entity is
a provider rather than a health plan, or if it is both, then also add topics around
billings and payments, documentation, medical necessity, quality of care,
mandatory reporting, credentialing and exclusions, and the process for
identification and disclosures of overpayments received.
2. Compliance Policies and Procedures. The entity must adopt and implement
compliance policies and procedures that align with the Code of Conduct and if
possible link back and forth between them. The entity also needs to adopt and
implement business policies and procedures, but they do not need to link to the Code.
(See corresponding Manual on drafting effective policies and procedures for MA
Plans).

COMPLIANCE PROGRAM
6
RECAP AND CONFIRM
Here are some questions asked by the New York OMIG regarding
policies and procedures:
• Do you have written policies and procedures that describe
compliance expectations in a code of conduct or code of
ethics?
• Have you implemented the operation of the compliance
program?
• Do you have written policies and procedures that provide
guidance to employees on dealing with potential compliance
issues?
guidance to others (like FDRs) on dealing with potential
compliance issues?
guidance on how to communicate compliance issues to
appropriate compliance personnel?
guidance on how potential compliance problems are
investigated and resolved?

COMPLIANCE PROGRAM
7
B. ELEMENT 2: DESIGNATION OF A COMPLIANCE OFFICER; COMPLIANCE
AND RISK STRUCTURE AND GOVERNANCE
The creation of a governance structure that embodies the objectives of Element 2 means
more than updating an organizational chart. This element may be the single most important
element in the compliance program. If the goal of an effective compliance program is to combat
fraud, waste and abuse and create a culture of compliance, governance creates the resources and
leadership to get that job done.
The guidance comes from Center of Medicare & Medicaid (“CMS”) (42 CFR Section
422.503(b)(4)(vi)(B) and 42 CFR Section 423.504(b)(4)(vi)(B) and throughout Chapter 21 of the
Medicare Compliance Manual and from the New York State Office of the Medicaid Inspector
General (“OMIG”) and the U.S. Sentencing Guidelines. (See USSG Section 8B2.1)
• Hire a compliance officer that is experienced enough to speak credibly to the CEO
and Board of Directors. CMS recommends that the person be an employee of the
organization and a full-time compliance officer. CMS does have a bias against
having the Compliance Officer also hold another role, but if the organization is small
and the employee can satisfy the responsibilities of both roles (including resolving
any conflicts that may occur from the dual role), then it can be acceptable.
• It is not considered an impermissible dual role when the Compliance Officer also
oversees the privacy program. A Compliance Officer, who is also an attorney, is a
natural fit to manage the privacy process. However, this may not be true of the role of
overseeing security as it requires a strong information technology background and,
unless the Compliance Officer has that background, it would be best to have another
employee as the Chief Security Officer. That said; consider carefully the reporting
structure of the Security Officer. This role is a compliance role in that it should be
solely focused on protecting the security of an entity’s information infrastructure. It
is not a business role and reporting into the Chief Information Officer, who is often
focused on business needs around adopting new products, may sometimes result in a
poor alignment. This issue can be resolved with matrix reporting into Compliance or
Internal Audit.
• It is typically suggested that the Compliance Officer be a Vice President and up level
employee that reports to the leadership and the Board. He or she should also be
someone that can manage a staff of employees. The compliance staff is often under
pressure in an organization, and may be at odds with the business functions, so they
need a strong leader to support them. The Board should be part of any hiring decision
and firing decision and have a relationship with the Compliance Officer that may
involve ad hoc telephone calls or meetings between scheduled Board sessions.
• With regular meetings, the Board can then rely upon the Officer as their ‘eyes and
ears’. This assists the Board in its monitoring function, but also can be a very

COMPLIANCE PROGRAM
8
effective feedback loop from the Board to management. CMS recommends that the
Compliance Officer attend the Board’s Audit Committee meetings and provide a
compliance report, so if the Audit committee meets quarterly, the Compliance Officer
should attend all four meetings, but may only have a full report twice a year.
• Executive sessions between the Compliance Officer and the Audit committee should
be regular and closed even if there is nothing to report on; so when there is an issue, it
is not a noticeable change in process.
• The Compliance Officer should assemble and oversee a compliance committee that is
comprised of senior leadership from each function impacting the health plan and
meets regularly and has the authority to not only identify issues, but also be able to
resolve them.
• There is no better way to communicate the company's dedication to compliance than
by having the Compliance Officer sitting ‘at the table’ when strategic decisions are
being made. It also prevents delays in implementation and costly re-does that may
result from the Compliance Officer being informed after the deal is done.
The entire company will watch to see how leadership treats the compliance officer: It indicates to
the staff how compliance is being viewed by the entity.
• Whether he or she has been assigned sufficient staff and tools to get the job done
• Where his or her office is located
• What his or her official title is
• Who he or she reports to
• Whether he or she is invited to strategy meetings

COMPLIANCE PROGRAM
9
RECAP AND CONFIRM
governance:
• Has a designated employee been vested with responsibility for
the day-to-day operation of the compliance program?
• Are the designated employee’s duties related solely to
compliance?
• If the designated employee’s compliance duties are combined
with other duties, are the compliance responsibilities
satisfactorily carried out?
• Does the designated employee report directly to the entity's
chief executive or other senior administrator?
• Does the designated employee periodically report directly to
the governing body on the activities of the compliance
program?

COMPLIANCE PROGRAM
10
C. ELEMENT 3: TRAINING AND EDUCATION
Training and Education
 Annual Training: The Board, leadership, and staff must be trained annually on
compliance, privacy and FWA or in the case of First tier, Downstream and
Related Entities (FDR)∗
, they must attest annually to training (unless Medicare
deemed FDRs (typically the network physicians) and then they need only attest to
compliance training). They do not all need to be trained on the same material or
using the same format. It may be easier to train the staff using a computer
module, but it may be better to take an hour of a Board meeting to train the Board
members and executives that attend Board meetings in person. Also CMS
recommends that every new Board member has one-on-one training within 90
days of on-boarding about the compliance program, and if possible, provided by
the compliance officer.

.
 New Hires: They must be trained on Day 1 at orientation especially on HIPAA
and patient confidentiality before any PHI is disclosed to them in the workplace.
 National Compliance week: An entity may choose to celebrate the whole week or
one day. It is typically in May each year. It is a great way to make the team
visible on an annual basis and in a fun and engaging manner. This ‘training’ can
have staff made videos, games, scavenger hunts, and leadership led town halls.
Trinkets such as pens and mouse pads can be distributed that are imprinted to
reinforce a message and provide ways to report issues. If the compliance officer is
shy, this is an opportunity to get him or her in front of staff, so that when the
∗
FDRs are obligated to their Sponsors who hold a contract with CMS to give annual (and new
hire) training to certain staff and leaders who oversee delegated functions (first tier) or provide
clinical services to members (downstream) or have “job functions that place the FDR in a
position to commit significant noncompliance with CMS program requirements or health care
FWA.” (HPMS memorandum, December 15, 2015). In addition, an FDR needs to oversee its
FDRs to make certain that are performing the necessary training. CMS has created a FWA and a
Compliance module that can be accessed online (MLN) or the materials can be taken, though not
modified, and incorporated into training of the FDR’s staff. Medicare providers who are deemed
(have enrolled with CMS) can receive the compliance training by placing the compliance
material in a document they are expected to read. Documenting the training can be challenging.
Various reporting tools can be used from Learning Module reports to a common SharePoint with
staff uploading certificates or class sign-in lists for live presentations. One can document the
‘deemed provider’ communication by retaining evidence of the vehicle of transmission (e.g.,
provider portal or e-mail). The Attestations require that documentation of the training exists and
is retained

COMPLIANCE PROGRAM
11
government regulator asks, ‘who is your compliance officer’? The staff answers
the question correctly.
 External Training and Conferences: Set aside funds for staff to attend
conferences like those sponsored by the HCCA. Encourage them to take the
compliance tests and become certified. Also, encourage them to present as
speakers about the best practices of the entity’s compliance program. As
speakers, entrance fees are often waived. Health plans may have their own events
like “Blues Summit” or non-industry specific compliance events like the
Ethisphere’s competition for “World’s Most Ethical Company”.
 Periodic Specialized Training: The Compliance unit can assist the business in
training staff on new regulations. CMS requires that in addition to general
compliance training that the staff is trained on the Medicare requirements related
to their job functions.
 Mandatory Participation: Attendance and participation in training and educational
programs is mandatory for all employees – no exceptions for executives. In fact,
the leadership should be setting an example by being first to complete their
training. The government auditors may be more interested in knowing that the c-
suite took its training than with the overall completion rate of the staff. This raises
the bar to make certain that the entity uses the resources to make the training
engaging and worthwhile every year. (HINT: CMS has asked CFOs during on-
sites if they took the annual training in exit interviews.)
 Training and informal education should be varied, memorable and continuous.
 Training cannot be a once a year event.
 What does ‘acting ethically’ mean? As we know, neither the Code of Conduct
nor the laws and requirements can cover every situation, so the training needs to
train staff to ask themselves if the conduct is ethical or if the decision they are
about to make is an ethical one.
Does it pass the ethics test?
 How will others be affected by the decision?
 What effect could this decision have on the company’s reputation?
 How would this decision be portrayed on the front page of the New
York Times?

COMPLIANCE PROGRAM
12
 How would I explain my decision to my children?
We often hear the expression ‘Tone from the Top” and there is no doubt that hearing the
message both in the words and actions from the ‘top’ is important and meaningful, but it must be
authentic and match their behavior. A message that is not authentic can be worse than no
message at all. Employees can quickly turn a message about ‘speaking up’ to ‘shutting up’ if
they don’t believe that their leaders will protect them from retaliation.
The leadership should be aware that they are being watched and they need to reflect the
‘tone’ in everything they do, from how they address someone in the cafeteria to making certain
they occasionally eat in the staff cafeteria. They need to show the staff that when the staff does
something important that they appreciate their efforts especially when it is an improvement that
may impact customer satisfaction, quality and compliance.
There is also tone from the middle which is the message delivered daily by middle
management – what they say and do is also being watched every day by the front-line staff.
Finally, making certain the front-line staff exude the appropriate tone when they speak
with the entity’s customers, network providers and regulators, is critical to an entity’s success.
The front-line staff will reflect the company’s culture so making certain there is an enlightened
‘tone from the top’ will improve customer satisfaction and relationships with stakeholders.
Recap on Training:
Varied: Training can be an e-mail blast on a topic, a monthly “Dear Compliance
Officer” column, a blog (if in real-time this has some risks), de-identified ‘hotline’
questions, a six second video ‘vine’, etc.
Memorable: Make it stick: As mentioned, humor can be one way to do that.
Continuous: The above messaging must occur all year round with the annual
training being a moment to reflect on what has been learned.
Track It: Retain the above messages and create a system to track how they were
disseminated to recipients. (Training test results and records should be kept for ten
years per CMS).
The government may chose not to prosecute the entity or not to intervene in a False
Claims Action (qui tam) if they determine that the wrongdoer was a “rogue employee” who
chose to ignore the compliance training and education. This was the situation in the Morgan
Stanley case. (See United States v. Garth Peterson).

COMPLIANCE PROGRAM
13
In the Morgan Stanley case, the government decided not to the prosecute Morgan Stanley
for the violations of the Foreign Corrupt Practices Act (FCPA) because the entity was able to
demonstrate that it:
 Maintained a system of internal controls;
 Had internal policies, which were updated regularly to reflect regulatory
developments and specific risks;
 Frequently trained its employees on its internal policies, the FCPA and other anti-
corruption laws; and
 Between 2002 and 2008, Morgan Stanley trained various groups of Asia-based
personnel on anti-corruption policies fifty-four times. During the same period, it
trained Garth Peterson on the FCPA seven times and reminded him to comply
with the FCPA at least thirty-five times.
Return on Investment?
Yes. The Morgan Stanley compliance program protected the corporation from
prosecution and as a result it rewarded Morgan Stanley many millions for having an effective
compliance program.
The entity needs to understand its own unique company’s risks by having a solid annual
risk assessment process and then fashion brief trainings featuring the risks in various ways
throughout the year and keep track of every one. It is optimum, if the entity can keep track of
which employees fail to pick it up an e-mail message, then re-send it to them and/or speak
directly to them, to make certain the messages are received.

COMPLIANCE PROGRAM
14
RECAP AND CONFIRM
Training:
• Is training and education provided to all staff on compliance
issues, expectations and the compliance program operation?
• Is training and education provided to all Board members on
compliance issues, expectations and the compliance program
operation?
• Does the compliance training occur periodically?
• Is compliance training part of the orientation for new
employees?
• Is compliance training part of the orientation for executives?
• Is compliance training part of the orientation for Board
members?

COMPLIANCE PROGRAM
15
D. ELEMENT 4: COMMUNICATION LINES TO COMPLIANCE
1. Communication Methods. The Compliance Officer maintains open lines of
communication with all employees to facilitate communication and reporting of
compliance issues.
• Open Access: This means there is an ‘open door’ culture. This does not mean
there is an “open door” to the Compliance Officer as the company should provide
the Officer with a traditional four-walled office (or a room to use) for confidential
conversations with staff.
A health plan also needs to maintain a method of anonymous and confidential
reporting of compliance issues. An internal telephone hotline can be ‘confidential’
if the caller asks the recipient to keep it confidential, however, it can only be
‘anonymous’ if there is a system in place that removes the ability to see who is
calling in. This is why many plans, and almost all Sarbanes-Oxley regulated
entities, have moved to third party vendors that handle the call or web portal
entry, and reply giving the party making the complaint a code number so they can
continue to provide information anonymously and can be updated on the status of
the investigation.
Compliance “Hotline” messages must be clear – Here are some tips on how
to draft the message in the Code:
• Confidentiality: “The entity will hold all information, reports and questions
provided or being raised by any individual in the strictest confidence
permitted by applicable law.” Sometimes the government requires an entity to
disclose the source.
• The Right to Report Anonymously: “If employees wish to remain
anonymous, he/she may call the anonymous hotline/web portal. “
• A user-friendly hotline or web portal has become the standard: Although
not required, regulators have come to expect that health plans have a 24 hour a
day web portal or hotline so that issues can be logged when the staff is not at
work. If it has a tracking mechanism then it has the added advantage of
making reporting to the Board and others on hotline metrics much easier.
• Investigation and Reporting Back: The Compliance Officer will typically
oversee the investigation of complaints except when the issues involve the
compliance unit’s staff or when outside counsel is handling the investigation.
However, it should be clear that “whoever is handling the inquiry will always
aim to report back to the individual or entity reporting the complaint on the

COMPLIANCE PROGRAM
16
status and ultimate outcome of the investigation, as permitted by applicable
law.”
Nota Bene: Although anonymous and confidential reporting vehicles are
necessary, it is, of course, a sign of success when the staff identifies themselves
when they report issues. It is an excellent sign that the entity has a strong culture
of compliance and that staff do not have a concern about retaliation for making a
complaint. (Hint: Having a metric showing a trend on anonymous vs. identified
reporting is an excellent chart to provide to management and the Board.)
Tips To avoid the issue turning into a whistleblower complaint and one with
significant penalties:
• How to Report: Reporting in good faith should be stated as an employee
obligation. Employees who identify issues early and help with the
remediation should be rewarded for speaking up. Those who ignore problems
or, even worse, make malicious false reports to simply harm others, should be
disciplined.
• Act swiftly upon information: If a complaint is made and it is not
investigated and the lawsuit is filed, then damages against the company can go
up for having been alerted to the issue, but not having taken action. Also, if
the entity responds quickly to the complainant that the investigation is
underway this may stop the complainant from going to external parties.
• Provide a mechanism to communicate with complainant: Use a method to
continue gathering information from the complainant (e.g., a numbering
system, etc.).
• Most whistleblowers inform the company in some manner before they file
an action: This requires a culture of listening to staff and investigating and
remediating issues when they are raised. Do not ignore the sealed anonymous
letter left on an executive’s chair.

COMPLIANCE PROGRAM
17
RECAP AND CONFIRM
“Open Access”:
• Are there lines of communication to the designated employee
that are accessible to all staff to allow compliance issues to be
reported?
that are accessible to all executives to allow compliance issues
to be reported?
referred that are accessible to Board members to allow
compliance issues to be reported?
• Is there a method in place for anonymous good faith reporting
of potential compliance issues?
• Is there a method in place for confidential good faith reporting
of potential compliance issues?

COMPLIANCE PROGRAM
18
E. ELEMENT 5: DISCIPLINARY POLICIES AND PROCEDURES
When to Impose Discipline?: The imposition of discipline may be based on
unlawful or unethical actions, negligent or reckless conduct, deliberate ignorance of
the rules that govern the job, condoning or not reporting unlawful actions by others,
retaliation or intimidation against those who report suspected wrongdoing, or other
violations.
Discipline may include giving an employee an oral or written warning, probation for
a specified period, suspension, or termination of employment.
Fair Treatment: Although there is no requirement that everyone be treated exactly
the same for a compliance violation, there is an expectation that the treatment is not
dependent on an employee’s title or financial contribution to the organization. The
Policy should set out what conduct the company has zero tolerance for and then the
company, using its judgment, needs to follow its policy and apply it in a fair and
consistent manner.
Be Timely: If the wrongdoing is well known then being timely may be very
important, so that the company can get back to business.
Deterrence: It is important that employees, and especially new hires, know what
happens when someone commits an offense. Good examples to use in orientation are
when there has been an actual employee that was terminated and referred to law
enforcement for an offense like falsifying documents, or taking kickbacks. If none
exist, then highlights from the industry work as well.
Compliance Champions: On the flip side, the staff member’s good conduct should
be rewarded. As discussed above, every annual review should have a section with a
‘commitment to compliance’. Also, when an employee identifies an issue and helps
to fix it, that employee’s work can be spotlighted on the website, in an awards
assembly or by being given a spot bonus.

COMPLIANCE PROGRAM
19
RECAP AND CONFIRM
disciplinary policies:
• Do disciplinary policies exist to encourage good faith
participation in the compliance program by all affected
individuals?
• Are there policies in effect that articulate expectations for
reporting compliance issues for all affected individuals?
• Are there policies in effect that articulate expectations for
assisting in the resolution of compliance issues for all affected
individuals?
• Is there a policy in effect that outlines sanctions for failing to
report suspected problems for all affected individuals?
• Is there a policy in effect that outlines sanctions for
participating in non-compliant behavior for all affected
individuals?
• Is there a policy in effect that outlines sanctions for
encouraging, directing, facilitating or permitting non-compliant
behavior for all affected individuals?
• Are all compliance-related disciplinary policies fairly and
firmly enforced?

COMPLIANCE PROGRAM
20
F. ELEMENT 6: ROUTINE IDENTIFICATION OF COMPLIANCE RISK AREAS
1. Routine Identification of Compliance Risk Areas.
Metrics:
• What is the entity monitoring and measuring?
• How does it measure what it is tracking? Does it set thresholds and targets to
be achievable or aspirational? (Typically, Red, Yellow & Green are used to
identify issues that are on track, off-track, and seriously off-track.) (HINT:
when a manager asks to have the metric threshold and targets be raised, this is
cause for celebration.)
• How does an entity assign accountability for making certain the data is
provided in a timely fashion?
• Can some data be delivered in ‘real-time’ like enrollment data?
• Does an entity use a system to track the data and measure the metrics?
 There are a many things an entity can measure. Whatever an entity
prioritizes to measure, the entity needs to make certain that if it is failing
that it then digs deep into the root cause(s) to find out why.
 Beware of metrics that solely reward timeliness like claims payment or
complaint resolution, extraordinary success on timeliness may mean
quality or accuracy are being forfeited for turnaround time.
Below are a few examples of metrics that when they are failing, leadership and the Board should
be asking “why”:
 If the first level decision or denials are being overturned above a certain %
⎯ ask why?
 If the same members are calling in repeatedly with the same issues to be
resolved -- ask why?
 If a high % of claims are not being paid in time ⎯ ask why?
 If sales are not sticking ⎯ ask why?
 If the entity is not retaining employees ⎯ ask why?

COMPLIANCE PROGRAM
21
 If as a provider claims are being denied ⎯ ask why?
• Annual risk assessment: Include the U.S. Office of Inspector General (OIG)
and New York OMIG work plans, as well as internal issues and internal audit
findings, the risks should reflect both the industry and the entity risks. Once a
list of top ten risks is compiled, have each leader, or maybe even all staff, rank
the risks.
• Annual Employee Surveys: There should be questions about how comfortable
the staff feel reporting wrongdoing or even mistakes and how their leadership
responds to their concerns. No one wants to hear bad news, but the sign of a
good leader is one who encourages such reporting. These metrics along with
employee retention are important for the Board to see. Try to keep some
questions the same year over year, so the entity can see track a trend over-time
on how employees are answering questions, for example; do you know how to
report wrongdoing?; do you feel comfortable reporting issues?; do you feel
the leadership is receptive to bad news?, etc.
• Exclusion Process: Compliance needs an enterprise-wide process to regularly
check employees, contracted staff, providers, FDRs and Board members to
assure they are not on the federal exclusion lists.
• Conflict of Interest process: Compliance needs an enterprise-wide process to
annually, and when changes occur throughout the year, allow employees and
Board members to update their conflict of interest forms (COI). Ideally, this
process is an online form and when a change occurs, Compliance it notified.
• Attestation and Training Process: Compliance needs a process to obtain
attestations from its FDRs as to the FDRs compliance training and FWA
training -- if they are not a Medicare deemed provider.
• HIPAA Security Rule Assessment: The Office of Civil Rights (OCR)
recommends a periodic assessment of the potential risks to confidentiality,
integrity and availability of e-PHI held by the covered entity. Initially, OCR
recommended that it be performed annually. Now it appears to be something
less than annually. Also, the OCR is attempting to make the process more
palpable for small providers and in 2014 came out with a security risk
assessment tool specifically for health care providers in small to medium sized
offices. All covered entities, plans and providers, are required to perform an
assessment. 45 CFR §164.308(a)(1)(ii)(a).

COMPLIANCE PROGRAM
22
• Compliance Assessment: CMS recommended a few years ago that on an
annual basis a health plan have an external party assess its compliance
program for effectiveness. The recommendation was later modified because
of concerns about the added cost, to suggest that the ‘external’ party could be
another plan (e.g., one Blue Cross Blue Shield plan assess another Blue Cross
Blue Shield plan) or even the Internal Audit team as long as the team is not a
part of the compliance unit. In 2015, CMS suggested that the below tool be
used by sponsoring organizations. It can be used as a self-assessment or by
the party performing the assessment.
 https://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-
Part-D-Compliance-and-Audits/Downloads/Compliance-Program-
Effectiveness-Self-Assessment-Questionnaire.pdf
2. Ongoing Compliance Auditing and Monitoring.
• Compliance, Delegated Oversight, Special Investigations Unit (SIU), Internal
Audit and Legal & Regulatory Affairs must work closely together.
• Legal and Regulatory Affairs need to advise business units on how to
implement new regulations with assistance from Compliance and Internal
Audit on overseeing execution.
• Internal Audit must prepare a Master Audit plan and then present it for
approval to the Audit Committee of the Board. Internal Audit should also
lead the Model Audit Rule process that may focus on financial controls or
more broadly take into account all system controls for all functions.
• Compliance may do real-time spot-checking of issues (e.g., making calls to
random members to see if paid services were satisfactorily rendered, or handle
and/or oversee the outbound enrollment verification process required for
Medicare Advantage plans by CMS).
• SIU typically takes outside referrals and investigates them, but they can
certainly have a role in internal investigations of fraud issues. Certain CMS
Compliant Tracking Module complaints (referred to as CTMs) should be
investigated by the SIU, e.g., sales misrepresentations, while operational
issues may be better suited to be handled by the Compliance unit.

COMPLIANCE PROGRAM
23
In addition, an entity needs the following functions:
• Delegated Oversight: This unit or program can be part of Compliance or stand
on its own. It must ensure oversight of FDRs compliance issues as well as
making certain they are following the service level agreements (‘SLAs’) in
their contracts.
• Credentialing or Sanctioning Committee: There needs to be within the entity a
cross-functional committee that oversees the process of terminations and
sanctioning of network providers. It may be a function of the Credentialing
Committee or it may be a separate committee.
Fraud, waste and abuse Program (Special Investigations Unit)
• New York requires that every Payer have a fraud and abuse prevention plan
and a special investigations unit (SIU) to carry it out once it has 10,000 or
more members in its government plan. (10 NYCRR Section 98-1.21).
• However, even if a Payer (or a provider) is not required to have a unit per se,
they still need to identify fraud, waste and abuse as an element of an effective
compliance program, so they may need to have a plan to detect and prevent
fraud and abuse without having an SIU to carry it out. If there is no SIU, then
some of the functions can be handled by the Compliance unit.
• Fraud and Abuse Prevention Plan:
 Both payers and providers need to have a fraud line to receive leads.
 Payers should have a comprehensive data warehouse where SIU staff can
query patterns of abuse and find potential provider outliers.
 Payers should have a process to audit providers on claims already paid
over a 12 month period.
 Payers should have a process to identify providers whose claims should be
pended before payment and be able to quickly review those pended claims
before payment.
 Payer and providers need to train all of the staff on what to look for to help
in the detection of fraud and abuse.

COMPLIANCE PROGRAM
24
 Providers need to train staff to support claims with accurate, complete and
contemporaneous documentation.
 Providers and payers need to have a process around receipt of potential
overpayments. The CMS Final Rule provides 60 days to return an
overpayment to the government and that clock begins to tick upon
quantification of the identified overpayment. (See recent CMS Final Rule,
42 CFR Part 401 and 405)
3. Tracking New Developments.
This includes at a minimum:
• Receiving and reviewing daily the Health Plan Management System
(“HPMS”) memos and guidance;
• Reviewing newly issued OIG Special Fraud Alerts and Advisory Opinions;
• Reviewing CMS and OMIG’s compliance alerts and related issuances; and
• Reviewing OMIG and OIG Work Plans and CMS readiness checklist.
Based on any relevant new developments, compliance must oversee and monitor
that the new requirement is implemented and track the execution through an
enterprise-wide process (including delegated entities if impacted). This can be
accomplished through an attestation flow-down process.
Employees should also read publications put out by HCCA, Kaiser Health News,
medical journals, alerts by trusted sources, investor analysis of health care trends,
health plan 10Ks, among other items. Reading materials from a variety of points
of view, will improve the staff’s ability to be innovative when solving problems.

COMPLIANCE PROGRAM
25
RECAP AND CONFIRM
disciplinary policies:
• Do you have a system in place for routine identification of
compliance risk areas specific to your provider type?
• Do you have a system in place for self-evaluation of the risk
areas, including internal audits and as appropriate external
audits?
• Do you have a system in place for evaluation of potential or
actual non-compliance as a result of self-evaluations and
audits?

COMPLIANCE PROGRAM
26
G. ELEMENT 7: RESPONDING TO COMPLIANCE ISSUES ⎯ REMEDIATION
AND SELF-DISCLOSURE
Integrity is not about being perfect. It is about having the ethical backbone to admit
when an error has been made and fixing it.
If Elements 4 and 6 are in place, there should be no shortage of issues being reported.
Typically when a new compliance program is rolled out, there is an uptick in issues
being raised. Once the issues come in, then what?
As described under Element 4, make certain the issue is tracked and then respond, as
soon as possible, to the party that raised the issue, even if it is a general statement that
their complaint was received and they will hear back from them.
Begin the investigation and as it is on-going, remediate and mitigate the issues along
the way. An entity should never wait until the investigation is complete to remediate
the issues, especially if the issue causing a lack of compliance could impact members
in its un-remediated state. This lesson was recently delivered by the OCR in seeking
Civil Monetary Penalties against a respiratory care provider in an investigation of a
HIPAA violation because the entity knew about the complaint, and the potential
disclosure of more patient information due to the violation, and failed to begin
remediation until the inquiry was closed. (See Lincare, February 3, 2016).
If the issue involves a process issue that has already impacted members and/or
government overpayments, then there needs to be process to disclose the issues and
the corrective action to CMS and the OMIG.
Disclose early: CMS will penalize the entity in an Audit if an issue is discovered that
was known, or should have been known, and was not disclosed.
Overpayments: As stated above, the CMS and the OMIG expect timely refunds of
overpayments received.
Corrective Action Plan (“CAP”): CMS and/or the OMIG will typically require a
corrective action plan so the entity should have a plan in place when it discloses. It is
not recommended that an entity delay the disclosure until the CAP is complete, but
rather provide information as to when it was put in place and what will be done to
oversee the implementation and execution of the plan and then how it will be
monitored over-time.

COMPLIANCE PROGRAM
27
RECAP AND CONFIRM
responding and reporting
• Is there a system in place for responding to compliance issues
as they are raised?
• Is there a system in place for investigating potential
compliance problems?
• Is there a system in place for responding to compliance
problems as identified in the course of self-evaluations and
audits?
• Is there a system in place for correcting compliance problems
promptly and thoroughly? Is there a system in place for
implementing procedures, policies and systems as necessary to
reduce the potential for recurrence?
• Is there a system in place for identifying and reporting
compliance issues to the NYS Department of Health or the
NYS Office of Medicaid Inspector General?
• Is there a system in place for refunding Medicaid
overpayments?

COMPLIANCE PROGRAM
28
H. ELEMENT 8: POLICY OF NON-INTIMIDATION AND NON-RETALIATION
The Code of Conduct should state the following:
1. Every employee has an affirmative duty to report issues or concerns that come to
his/her attention through the appropriate channels. Failure to do so can result in
disciplinary action.
2. The entity will not take disciplinary or retaliatory action against an employee who
in good faith raises a concern.
3. Retaliation or intimidation in any form by any individual is strictly prohibited and
is itself a serious violation of the Code of Conduct.
4. Managers have the responsibility to maintain an environment where employees
feel comfortable raising issues or asking questions.
5. If any employee feels that he or she is being intimidated or retaliated against, that
individual needs to contact the Compliance Officer, Chief of Human Resources or
the General Counsel or if necessary the CEO or even the Board.
6. Any employee who commits or condones any form of retaliation needs to know
that they will be subject to discipline including termination.
The OMIG expects that every health care provider and health plan that is required in
New York to have a compliance program have an eighth element -- a policy and
practice of zero retaliation against whistleblowers.
That means that at every level of the organization, an employee can identify a process
failure, a potential risk, and can even be wrong, but if they acted in good faith, then
there should be no retaliation, no dismissal, no demotion, and no change of duties.
Good Faith means they did not intentionally put forth a false complaint
Is the ‘whistleblower’ given protection? Yes, but not special protection.
A whistleblower or realtor must be treated the way all employees should be treated
under the Code of Conduct. An entity cannot discriminate against an employee for
being a whistleblower. The employee should be treated no worse for having reported
the issue.

COMPLIANCE PROGRAM
29
Any whistleblower, which is discharged, demoted, suspended, threatened, harassed or
in any other manner discriminated against by his or her employer for reporting a
violation, will be entitled to:
• reinstatement with seniority;
• double back pay;
• interest;
• special damages; and
• attorney’s fees and costs.

COMPLIANCE PROGRAM
30
RECAP AND CONFIRM
Can you certify to the OMIG that you have:
• A policy of non-intimidation for good faith participation in the
compliance program, including but not limited to reporting
potential issues, investigating issues, self-evaluations, audits
and remedial actions, and reporting to appropriate officials as
provided in Sections 740 and 741 of the New York State Labor
Law?
• A policy of non-retaliation for good faith participation in the
compliance program, including but not limited to reporting
potential issues, investigating issues, self-evaluations, audits
and remedial actions, and reporting to appropriate officials as
provided in Sections 740 and 741 of the New York State Labor
Law?
Both sections prohibit any retaliatory personnel action by the employer against an
employee who “blows the whistle”.
Section 740 is for an action where a violation is alleged that creates and presents a
substantial and specific danger to the public health or safety, or which constitutes
health care fraud.
• Section 740 applies broadly to all employers in New York
State including health care employees.
Section 741 is for an action that the whistleblower “reasonably believed,” in good
faith, that the complained-of activity, policy or practice of the employer constituted
improper quality of patient care.
• Section 741 applies to New York health care employers only.

COMPLIANCE PROGRAM
31
I. CMS SANCTIONS HEALTH PLANS THAT FAIL TO HAVE AN EFFECTIVE
COMPLIANCNE PROGRAM
CMS lists on its website civil monetary penalties assessed against health plans during
program audits. The high risk areas currently involve a failure to monitor the Part D
Pharmacy Benefit Manager (“PBM”); failure to oversee the process to provide accurate
and timely Explanations of Coverage (EOC) and Annual Notice of Coverage (ANOC)
and failure to properly administer the Grievance and Appeals process.
In addition, CMS often mentions the compliance program requirements and a failure to
have in place an effective compliance program. Below is some typical language from the
CMS letters that describes the sanctions:
Compliance Program Relevant Requirements
(42 C.F.R. §§ 422.503(b)(4)(vi) and 423.504(b)(4)(vi); IOM Pub. 100-18 Medicare Prescription
Drug Benefit Manual, Chapter 9; IOM Pub. 100-16 Medicare Managed Care Manual, Chapter
21)
Sponsors are required to adopt and implement an effective compliance program, which must
include measures that prevent, detect and correct non-compliance with CMS’ program
requirements.
An effective compliance infrastructure is necessary for a sponsor to adequately monitor and
oversee its operations as a whole.
Serious issues of non-compliance often occur when a sponsor does not dedicate the resources to
developing and maintaining an effective compliance program.
Some of the most important requirements for an effective compliance program include, but are
not limited to:
• involving the sponsor’s senior leaders in issues of non-compliance;
• developing an effective system for routine monitoring and identifying of compliance
risks;
• promptly responding to compliance issues as they are raised; investigating potential
issues of non-compliance and correcting those problems;
• and monitoring and auditing first tier entities that contract with the sponsor to ensure that
they are in compliance with CMS requirements.
Failure to have an effective compliance program is considered by CMS a violation of the
health plan’s contract and can result in penalties and other sanctions. Here are a few
compliance related violations:

COMPLIANCE PROGRAM
32
1. Failure to establish and implement a formal risk assessment and an effective system for
routine monitoring and auditing of identified compliance risks. This is in violation of 42
C.F.R. §§ 422.503(b)(4)(vi)(F) and 423.504(b)(4)(vi)(F); IOM Pub. 100-16 Medicare
Managed Care Manual, Chapter 21, Section 50; and IOM Pub. 100-18 Medicare
Prescription Drug Benefit Manual, Chapter 9, Section 50.
2. Failure to have adequate and appropriate resources dedicated to FDR audit activities.
This is in violation of 42 C.F.R. §§ 422.503(b)(4)(vi)(F) and 423.504(b)(4)(vi)(F); IOM
Pub. 100-16 Medicare Managed Care Manual, Chapter 21, Section 50; and IOM Pub.
100-18 Medicare Prescription Drug Benefit Manual, Chapter 9, Section 50.
3. Failure to provide updates on results of monitoring, auditing, and compliance failures to
senior leadership. This is in violation of 42 C.F.R. §§ 422.503(b)(4)(vi)(B) and
423.504(b)(4)(vi)(B); IOM Pub. 100-16 Medicare Managed Care Manual, Chapter 21,
Section 50; and IOM Pub.100-18 Medicare Prescription Drug Benefit Manual, Chapter 9,
Section 50.
4. Failure to receive regular reports of audit and monitoring results and the status of the
effectiveness of corrective actions taken. This is in violation of 42 C.F.R. §§
422.503(b)(4)(vi)(F) and 423.504(b)(4)(vi)(F); IOM Pub. 100-16 Medicare Managed
Care Manual, Chapter 21, Section 50; and IOM Pub. 100-18 Medicare Prescription Drug
Benefit Manual, Chapter 9, Section 50.
5. Failure to maintain thorough documentation of all deficiencies identified and corrective
actions taken. This is in violation of 42 C.F.R. §§ 422.503(b)(4)(vi)(G) and
423.504(b)(4)(vi)(G); IOM Pub. 100-16 Medicare Managed Care Manual, Chapter 21,
Section 50; and IOM Pub. 100-18 Medicare Prescription Drug Benefit Manual, Chapter
9, Section 50.
CMS will look at the health plan’s resources to see if it is properly staffed to perform the
obligations of its contract. In a letter on the website it stated:
The [Plan ] did not have the proper resources dedicated to the compliance function, which
affected their ability to complete a formalized risk assessment, implement annual monitoring and
auditing work plans, and ensure its operational areas complied with Medicare regulations.
In addition to having insufficient staff, the [Plan] did not demonstrate an understanding of CMS
requirements for monitoring its FDRs and assumed its FDRs would independently comply with
all applicable CMS requirements. The committee overseeing the compliance program was not
aware of its responsibilities and requirements for reporting auditing and monitoring activities to
its senior leadership. The [Plan’s] Compliance Officer was not able to effectively conduct any
follow up of corrective action plans to ensure they were effective in fully addressing and
resolving identified compliance issues.

COMPLIANCE PROGRAM
33
How does a compliance program help with the objective of detection and
prevention of non-compliance and fraud, waste and abuse?
• A well written Code is read, understood and followed by the staff.
• Policies and procedures that can be easily located, reflect practices and are
regularly updated are referred to and followed by employees.
• The culture of ethical behavior with a strong commitment from the top makes it
clear to the staff what the entity is about. It can distinguish an entity in the
marketplace providing the entity with a reputation that it can be trusted. It can
help to attract and retain highly ethical employees.
• Appropriate governance in terms of reporting structure, decision-making and
accountability can provide leadership with a window to its issues and improve
risk management.
• Training on ‘hot spots’ and ‘red flags’ helps to detect fraud, waste and abuse.
• Having a hotline lets an entity find the issues, remediate them and track and trend
the outcomes.
• Spotlighting compliance champions will make everyone want to be a champion.
• Monitoring and Oversight that is collaborative and cooperative can make
compliance an enterprise-wide priority.
• Metrics and reporting help the entity to learn from its operational failures and
improve over-time.
• The culture of no retaliation means that issues will be raised, reported and
remediated early and possibly before members have been impacted. If the issues
need to be disclosed to the government, the issues will be disclosed by the entity
rather than by a whistleblower.

COMPLIANCE PROGRAM
34
Paulette Wunsch is a consultant in areas of compliance and managed care operational
effectiveness. She is an attorney and member of the Bar in New York and Connecticut.
Prior to consulting, Paulette held roles as a General Counsel, Chief Compliance Officer and
Associate General Counsel at MCOs including Oxford Health Plans, UnitedHealthcare,
WellCare, Blue Cross Blue Shield of Florida, Nippon Life Benefits and VNSNY.
Prior to coming in-house, she practiced law in the law firm of Day, Berry & Howard (now
known as Day Pitney) where she represented both health plans and providers and prior to that
she spent eight years with the U.S. Department of Justice, including serving as a federal
prosecutor in the U.S. Attorney's Office in Manhattan during which time she was part of the New
York Health care Task Force.
She received her B.A. from the University of Chicago, her J.D. from Yeshiva University,
Cardozo School of Law and her LL.M. from Columbia University, School of Law.

ComplianceGuidelinesUploaded6.14PDF

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (10)

Similar to ComplianceGuidelinesUploaded6.14PDF

Similar to ComplianceGuidelinesUploaded6.14PDF (20)

ComplianceGuidelinesUploaded6.14PDF