program effectiveness: a resource guide
TRANSCRIPT
Measuring Compliance Program Effectiveness: A Resource GuideHCCA-OIG Compliance Effectiveness RoundtableRoundtable Meeting: January 17, 2017 | Washington, DC
ISSUE DATE: MARCH 27, 2017
1
MeasuringComplianceProgramEffectiveness–AResourceGuide
HCCA-OIGComplianceEffectivenessRoundtableRoundtableMeeting:January17,2017
WashingtonDCIntroductionOnJanuary17,2017,agroupofcomplianceprofessionalsandstafffromtheDepartmentofHealthandHumanServices,OfficeofInspectorGeneral(OIG)mettodiscusswaystomeasuretheeffectivenessofcomplianceprograms.Theintentofthisexercisewastoprovidealargenumberofideasformeasuringthevariouselementsofacomplianceprogram.Measuringcomplianceprogrameffectivenessisrecommendedbyseveralauthorities,includingtheUnitedStatesSentencingCommission(see,Chapter8oftheUnitedStatesSentencingGuidelines).Thislistwillprovidemeasurementoptionstoawiderangeoforganizationswithdiversesize,operationalcomplexity,industrysectors,resources,andcomplianceprograms.DuringthemeetingonJanuary17,theparticipantsbrokeinto4groupsof10attendeestodiscuss2elementsofacomplianceprogramatatime.Duringfoursessions,everyparticipanthadachancetosuggestideasabout“whattomeasure”and“howtomeasure”withrespecttoallsevenelementsofacomplianceprogram.Weusedthefollowingcategories,fromtheHealthCareComplianceAssociation’sCHCCandidateHandbook:DetailedContentOutline,asaguidetoensurethatallelementsofacomplianceprogramwerecovered:ComplianceProgramElements:1. Standards,Policies,andProcedures2. ComplianceProgramAdministration3. ScreeningandEvaluationofEmployees,Physicians,VendorsandotherAgents4. Communication,Education,andTrainingonComplianceIssues5. Monitoring,Auditing,andInternalReportingSystems6. DisciplineforNon-Compliance7. InvestigationsandRemedialMeasuresWehavelistedbelowmanyindividualcomplianceprogrammetrics.Thepurposeofthislististogivehealthcareorganizationsasmanyideasaspossible,bebroadenoughtohelpanytypeoforganization,andlettheorganizationchoosewhichonesbestsuititsneeds.Thisisnota“checklist”tobeappliedwholesaletoassessacomplianceprogram.Anorganizationmaychoosetouseonlyasmallnumberoftheseinanygivenyear.Usingthemallorevenalargenumberoftheseisimpracticalandnotrecommended.Theutilityofanysuggestedmeasurelistedin
2
thisreportwillbedependentontheorganization’sindividualneeds.Someofthesesuggestionsmightbeusedfrequentlyandothersonlyoccasionally.Thefrequencyofuseofanymeasurementshouldbebasedontheorganization’sriskareas,size,resources,industrysegment,etc.Eachorganization’scomplianceprogramandeffectivenessmeasurementprocesswillbedifferent.Somemaynotapplytotheorganization’senvironmentatallandmaynotbeused.Anyattempttousethisasastandardoracertificationisdiscouragedbythosewhoworkedonthisproject;onesizetrulydoesnotfitall.Element1:Standards,Policies,andProceduresA.Conductperiodicreviewsofpolicies,procedures,andcontrols.B.Consultwithlegalresources.C.Verifythatappropriatecodingpoliciesandproceduresexist.D.Verifythatappropriateoverpaymentpoliciesandproceduresexist.E.Integratemission,vision,values,andethicalprincipleswithcodeofconductF.Maintaincomplianceplanandprogram.G.Assurethatanonretribution/nonretaliationpolicyexists.H.Maintainpoliciesandproceduresforinternalandexternalcomplianceaudits.I.Verifymaintenanceofarecordretentionpolicy.J.Maintainacodeofconduct.K.Verifymaintenanceof:
1.Aconflictofinterestpolicy2.Appropriateconfidentialitypolicies3.Appropriateprivacypolicies4.Policiesandprocedurestoaddressregulatoryrequirements(e.g.,theEmergencyMedicalTreatmentandLaborAct(EMTALA),ClinicalLaboratory
ImprovementAmendments(CLIA),Anti-Kickback,research,laborlaws,Starklaw).L.Verifyappropriatepoliciesoninteractionswithotherhealthcareindustrystakeholders(e.g.,hospitals/physicians,pharma/devicerepresentatives,vendors).M.Assurepoliciesandproceduresaddressthecomplianceroleinqualityofcareissues.N.Verifymaintenanceofapolicyongiftsandgratuities.O.Verifymaintenanceofstandardsofaccountability(e.g.,incentives,sanctions,disciplinarypolicies)foremployeesatalllevels.P.MaintainaComplianceDepartmentoperationsmanual.Q.Verifymaintenanceofpoliciesonwaiversofco-paymentsanddeductibles.R.Assuregovernancepoliciesrelatedtocomplianceareappropriatelymaintained.Source:CHCCandidateHandbook:DetailedContentOutline
3
Element1:Standards,Policies,andProcedures
WhattoMeasure HowtoMeasure
Access:
1.1
Accessibility
• Reviewlinktoemployeeaccessiblewebsite/intranetthatincludestheCodeofConduct• Survey-Canyoureadilyaccessorreferencepoliciesandprocedures?(Yes/No/Don'tknow)• Survey-Howandwheredoemployeesactuallyaccesspoliciesandprocedures?• Testkeywordsearch(searchable)• Auditandinterviewstafftoshowpolicies
1.2 ActualAccess Audithowmanyactual"hits"onpoliciesandprocedures
1.3 Accessiblelanguageforcode,standardsandpolicies FleschKincaidmeasuringstandard–nomorethan10thgradereadinglevel
1.4
Complianceprogramawarenessandcommunication
• Surveyemployeestodeterminetheextenttowhichthecodeofconductandothercompliancecommunicationsareavailabletoemployees
• Reviewtoensurethestandards,policies,andawarenessmaterialisupdatedanddistributedwithinorganization’sguidelines
1.5 Impairedordisabledaccessibility Reviewaccessibilityoptions.Lookatmethodsandspeaktoindividuals.
1.6 Policycommunication Communicationstrategyofpolicies
1.7 Availabilityofpolicycontent Conductsurveysandobservation
Accountability:
1.8 Accountability PolicyCoordinatordesignated
1.9 Ownershipandaccountabilityofpolicies Auditprocessofhowpoliciesgetenforcedbychainofcommandwhencomplianceisnotthefinalapprover.Ismanagementtakingresponsibilityforimplementingandfollowingpolicies?
1.10 Routinepoliciesandprocedures Confirmthatlistedownerofeachpolicyandprocedureistheactualowner.
4
Review/ApprovalProcess:
1.11 AnnualreviewandBoardapprovalofCompliancePlan Audit:ReviewofBoardminutes
1.12 Compliancedocumentationoperationsmanual Complianceorotheroversightcommitteetoreviewannuallytoensureitisuptodate.
1.13 Maintenanceofpolicies Checklastrevieworrevision
1.14 Numberofpoliciesreviewedandisthereviewtimely Processreview/audit.Usechecklisttoensureallbasicpolicyelementsareinplace,updatedconsistentlyandreviewed/approvedbyappropriateparties.
1.15 Policyapprovals Checklistaudit.Createlistofpolicies,reviewcommitteeandboardminutestoensureallapprovalshavebeenobtained.
1.16 Policyreviewprocess Auditprocessbywhichpoliciesandproceduresareprepared,approved,disseminated,etc.
1.17 Processforensuringfullorganizationalparticipationinpolicyandproceduredevelopment
Reviewdocumentation/minutestoverifyinputconsideredandsolicitedforpolicyandproceduredevelopmentandreview
1.18 Processforreviewandapproving Checkforwrittenprocess
Quality:
1.19 Arepolicies(andprocedures)asgoodasindustrypractice Peerreviews
1.20 IntegrityofProcessfordevelopingandimplementingpoliciesandprocedures Auditpolicyandprocedureonpolicyandprocedures
1.21Languageandreadinglevelofpolicies
Arepolicieswritteninplainlanguage,appropriategradereadinglevelandwritteninapplicablelanguagesfororganization?Policyreview,Wordgradelevelreviewandinterviewsofstafftomakesuretheyunderstand.
1.22 Languagetranslation Auditorprocessreview.Arepoliciesandthecodeofconducttranslatedintoappropriatelanguagesfororganization?
1.23 Usefulness SURVEY-Dodepartmentpoliciesandproceduresassistyouindoingyourjobeffectively?(Yes/No/Don'tknow)
5
1.24 Needforpoliciesthatdon’texist Interviewstafftodetermineiftheyneedthecertainpoliciestostrengtheninternalcontrols.
1.25 Policiesandprocedures Requestreviewfromexternalexperts
Assessment:
1.26 Assessmentofallcompanypolicies Checklistofpolicies;whicharecomplianceandwhicharebusiness
1.27 Essentialcompliancepoliciesandproceduresexist Canstaffactuallyarticulatepoliciesandprocedures;teststaff
1.28 Existenceofproceduretosupportpolicy Auditforproceduretosupportpolicy
1.29 Fundamentalpoliciesandproceduresinplace Havefocusgroupsofworkunits/departmentstodeterminewhethertheyunderstandthepoliciesandproceduresnecessarytodotheirjobs.
1.30Identifiability • Indexofpoliciesavailableandcurrent
• Numberedpolicies,notjusttitles
1.31 Listofpoliciesareapplicabletoemployees Supervisorstoassessdirectstaff
1.32 Arethoseaffectedbypolicygiventheopportunitytoweighinonpolicywhendeveloped? Focusgroupsandinterviewsofthoseaffectedbypolicy.
1.33 Listofrequiredpolicies Createchecklisttomakesureminimumpoliciesareinplaceandthenauditagainstthelist.
1.34 Effectivenessofpolicies Effectivenessofpoliciesbasedonthesubmissionhotlinecalls
1.35 Policiesandproceduresthathavebeenidentifiedaspartofcorrectiveaction
Processreview.Conductannualmeetingwithcomplianceandlegaltolookatdatabasesandcontrolandprioritizereviewtoensureimplementationandongoingcompliancewithpoliciesandprocedures.
1.36 Policiesforhighriskandoperationalareas Audit
1.37 Policies,standardsandproceduresarebasedonassessedrisks
Riskassessment,policyexistsforeachriskidentifiedintheriskassessment(coverageofaspecificrisktopic)
1.38 Policyinventorytoensurenooverlapandcontradictionofpolicies
Createinventoryandanalyzeinventory.Analyzeandreviewpastefforts.Lookatvariousdepartmentsthatmighthaveoverlappingpolicies.
1.39 Policyreviewfollowinginvestigation/issue Toppoliciesimplicatedinaninvestigationarereviewedtodetermineifpolicyambiguous,complex,failstoadequatelysafeguardissues.Validatethroughaudit.
6
1.40
Routinepoliciesandproceduresareaddressedandfilterdown. Reviewdepartmentandcommitteeagendastoensurepoliciesareaddressed
CodeofConduct:
1.41 CodeofConduct Audit:Reviewdates,boardapprovals,distributionprocesses,attestations,surveyemployeesforunderstanding,conductfocusgroups.
1.42 Complianceprogramawarenessandcommunication SurveyemployeestodeterminetheextenttowhichtheyknowthecontentoftheStandardsofConduct(SOC)andhowtoaccessit.
1.43 Integratemission,vision,values,andethicalprincipleswithcodeofconduct
Comparecodewithmissionandvisionstatementstoseeifitincludeselements/statements.Checktoseeifcodeisaccessibletoemployees
1.44 Maintenanceofcodeofconduct Iscodewritten,postedforemployees,documentedfrequencyofreviews,andsurvey/testemployeesonabilitytolocateit
1.45Distribution
DocumentationofCodeofConductdistributiontrackingandresultsoverpasttwoyearsforallemployees,employedphysicians,alliedhealthprofessionals,independent(contracted)physicians,volunteersandvendors/contractor/consultantsintheorganization
1.46 Orientation AudittoensureallemployeesreceiveorientationtotheSOCandcompliancepolicieswithin30daysofhire.
1.47 Staffunderstandingofcodeofconductandpoliciesandprocedures
• Reviewtestscoresaftertraining.• Conductinterviews.
Updates:
1.48 Complianceprogramcommunicationofrulechanges Reviewperiodicallyandatrulechanges–Audittoensurethereisadequatecommunicationtoemployees,includingchangesinpolicy/procedure.
1.49 Newandupdatedpolicydistributionandeducationofappropriatestaff
Processreview-Doesorganizationhaveformalprocesstomakeworkforceawareofnewpoliciesorchangesinpolicies?
1.50 Practicesimplementedafternewpolicy Auditpracticesandreviewcommitteeminutesandotherdocumentationtodeterminehownewpoliciesareimplemented.
Understanding:
1.51 UnderstandingofPolicies/Procedures • Conductsurveysand/orfocusgroupsonspecificpolicies
7
• Auditadherencetopolicy/procedure
1.52 Orientation Ensureemployeesareprovidedinstructionbyknowledgeablepersonnelforquestions/clarity
1.53 Policiesreflectpractice Usepoliciesasaudittoolandtheninterview,observeandconductdocumentreviewtoensurepoliciesarebeingfollowed.
1.54 Questionsaskedbyemployees Systeminplacetotrackemployeequestionsandconcernstoensureconsistentguidance.Trackdepartmentswherequestionscomefromtodeployadditionaleducationwherenecessary.
1.55 Understandabletoboardandc-suite Testboardandc-suiteonlocationandunderstanding
1.56Understandabletoemployees
• Readingcomprehensiontest• Situationaltests• Testoflocation
CompliancePlan:
1.57 Maintaincomplianceplanandprogram Reviewwrittenplanorwrittenscheduleofcomplianceactivities
1.58Maintaincompliancedepartmentoperationsmanual • Auditexistenceofwrittenmanual,handbook,orreferenceguide
• Testwhetherthemanualiscurrent
ConfidentialityStatements:
1.59 Verifymaintenanceofappropriateconfidentialitypolicies
• Auditprocedureforobtainingconfidentialitystatementsfromemployees• Auditemployeefilesforsignedconfidentialitystatementsfromemployees
Enforcement:
1.60 Compliancewithpolicies Conductinterviews,observation.
1.61 Policyviolations Auditpolicyandprocedurestomakesurepracticeconsistentwithpolicy.
1.62 Adherencetopoliciesandproceduresforcasesinvolvingpatientharmandreportingtoregulatoryagency
Reviewpoliciesandproceduresandcasesinvolvingpatientharmandvalidateproperreportingtoregulatoryagency
8
Element2:ComplianceProgramAdministration
A.Maintainacompliancebudget(e.g.,contributetoplanning,preparing,andmonitoringfinancialresources).B.Reportcomplianceprogramactivitytothegovernanceboard/committee.C.Coordinateoperationalaspectsofacomplianceprogramwiththeoversightcommittee.D.Collaboratewithotherstoinstitutebestcomplianceprogram.E.Coordinateorganizationaleffortstomaintainacomplianceprogram.F.Definescopeofcomplianceprogramconsistentwithcurrentindustrystandards.G.Assurethatthecomplianceoversightcommittee’sgoalsandfunctionsareoutlined.H.Evaluatetheeffectivenessofthecomplianceprogramonaperiodicbasis.I.Maintainknowledgeofcurrentregulatorychangesandinterpretationoflaws.J.Assurethecredibilityandintegrityofthecomplianceprogram.K.Recognizetheneedforoutsideexpertise.L.Overseeacomplianceeducationprogram.M.Verifytheorganizationhasdefinedtheauthorityofthecomplianceofficeratahighlevel.N.Verifythegoverningboardunderstandsitsresponsibilityasitrelatestothecomplianceprogramandculture.O.Assurethattheroleofcounselinthecomplianceprocesshasbeendefined.P.Definetheresponsibilities,purpose,andfunctionforallcompliancestaff.Q.Assurestaffingforthecomplianceprogram.R.Verifycomplianceriskassessmentsareconductedperiodically.S.Participateinthedevelopmentofinternalcontrolsandsystemstomitigaterisk.T.Incorporaterelevantaspectsofregulatoryagencies’focusintocomplianceoperations.U.Overseeintegrationofthecomplianceprogramintooperations.V.Developanannualcomplianceworkplan.W.Demonstrateindependenceandobjectivityinallaspectsofcomplianceprogram.X.Maintainanindependentreportingstructuretothegoverningbody(e.g.,Board,PhysicianPracticeExecutiveCommittee).Source:CHCCandidateHandbook:DetailedContentOutline
9
Element2:ComplianceProgramAdministration
WhattoMeasure HowtoMeasure
BoardofDirectors:
2.1ActiveBoardofDirectors
• ReviewminutesofmeetingswhereComplianceOfficerreportsin-persontotheAuditandComplianceCommitteeoftheBoardofDirectorsonaquarterlybasis
• Conductinventoryofreportsgiventoboardandapplicablecommittees.
2.2Boardunderstandingandoversightoftheirresponsibilities
• Reviewoftrainingandresponsibilitiesasreflectedinmeetingminutesandotherdocuments(trainingmaterials,newsletters,etc.).Dominutesreflectboard’sunderstanding?
• Review/auditboardeducation–howoftenisitconducted?Conductinterviewstoassessboardunderstanding.
2.3 Appropriateescalationtooversightbody • Reviewminutes/checklistincomplianceofficerfiles
2.4
Commitmentfromtop
• Reviewcomplianceprogramresources(budget,staff).• Reviewdocumentationtoensurestaff,boardandmanagementareactivelyinvolvedinthe
program.• Conductinterviewsofboard,managementandstaff.
2.5 Processforescalationandaccountability Processreview(documentreview,interviews,etc.).Istheretimelyreportingandresolutionofmatters?
ComplianceBudget:
2.6 Appropriateoversightofbudget Reviewcharterofgoverningbody(Board)toverifyitincludesapprovalofcompliancebudget
2.7 Budgetisbasedonanassessmentofriskandprogramimprovement/effectiveness
IstheBoard’sapprovalofthebudgetbasedonidentifiedrisksandeffectivenessevaluation/programimprovement?
2.8 Sufficientcomplianceprogramresources(budget,staffing) Reviewbudgetandstaffingtoensuresignificantrisksaremanagedappropriately
ComplianceCommittees:
10
2.9 Activeinvolvementofcompliancecommitteemembers Trackpercentageofattendanceofeachcompliancecommitteememberoverthelastyear
2.10 Assurethatthecomplianceoversightcommitteegoalsandfunctionsareoutlined Reviewcharterofcommittee
2.11 Committeestructure Reviewdocumentationofstructureofcommitteesaswellascharters.Ensurenoconflictingcharters.
2.12 Compliancecommitteecompositionandattendance Reviewcharterandminutestoassureattendance.
2.13 Cascadeadministrationofcomplianceprogramthroughouttheorganization Differentoperationalareasgivesomecertification/disclosuretothecomplianceoffice
2.14 CompositionofComplianceCommittee Revieworganizationalcharttovalidatecorrectcomposition
2.15 Effectivenessofcompliancecommitteemeetings Keepexecutivereportcardbymemberqualitative/quantitativewithindicatorsofcontributionontopics
2.16 Engagement Inthelasttwoyears,havethecompliancecommitteemeetingsbeenheldinaccordancewiththecharter?
2.17EngagementofDirectors/Managers
Reviewcommitteestructuretoevaluatehowdirectors/managersareparticipatinginComplianceOperationalCommittee(s)meetingincludesagenda,minutes,attendanceandreportsfromsubcommittees
2.18 ExecutiveLeadershipengagedinComplianceProgram
Reviewfrequencyofmeetings,membership,attendance,agendaandminutesoverthepastyearoftheComplianceExecutiveCommitteetoincludeallmembersoftheSeniorExecutiveteamreceivinginformationdirectlyfromtheComplianceOfficer
Accountability:
2.19
Leadershipaccountability
Auditdocumentationandconductinterviews.Someexamplesmightinclude:• Employeeeducationcompletionrates• Demonstrationofpromotionofcompliance(e.g.,townhallmeetingpresentations,
newsletters,etc.)• Completionofauditorreviewactionitemswithinestablishedtimeframe
2.20 Managementaccountabilityforcompliance Processanddocumentreviewandinterviews.• Isthereamappingofoperationalormanagementresponsibleforchampioningcompliance?
11
• Isthereamappingofmanagementresponsibleforkeyareasofcompliancetoensureaccountability?
• Doestopmanagementsupportthecomplianceteam?
ComplianceOfficer:
2.21Competency • Certification(CHC,CHPC,CHRC)
• Annualevaluation,coaching,correctiveaction,professionaldevelopment
2.22 Isthecomplianceofficerakeystakeholderinthestrategicinitiativesoftheorganization
• Reviewparticipationofcomplianceofficerinstrategicplanningprocessandduediligenceprocesses.
2.23 Compliancedepartmentinvolvementinenterprise-wideinitiatives/entities/strategies(e.g.,involvementorpenetrationinjointventureinitiativesandotherorganizationalinventory)
• Processreview,includingreviewoforganizationalcharttoensurecompliancecapturesenterprise-wideentities.
• Interviewswithcomplianceandothercommittees.
2.24Complianceindependence/compliancestructure • Doesthereportingstructurereflectsthe"express"authorityrequired?
• Auditprogramcharters(complianceprogramorAuditcommittee)
2.25 Complianceintegration Audittodeterminetheextenttowhichcomplianceofficerisinvolvedintraining,policydevelopment,marketingandotheroperationalaspectsofthebusiness
2.26ComplianceOfficerreportingstructureandoversighttoensuredirectaccesstoCsuiteandboard
• Documentreview-Lookatorganizationalchartandconductinterviews.• ReviewboardminutesanddocumentationthatthereareregularmeetingswithCEOandor
appropriateparties.• Ensurecomplianceofficerhasauthorityandiscomfortabletogotoboard.
2.27
Complianceofficer’sindependence/objectivity
• Reviewcomplianceofficer’sjobdescription.Doess/hereportdirectlytoCEO,board(notCFOorLegal)?Conductinterviews,focusedgroups,audit.
• Seatinglocationofcompliancewiththebusiness,seniorteamsaretogether,anddottedlineonorgchart
• Interviewcomplianceofficertoseeiftheyfeeltheyhaveindependence,dotheydocumentdisagreements,isthereexecutivesessionforauditcommittee.
• Interviewtheboard,reviewminutes,andinterviewtheCCO• Reviewofwrittenorganizationalstructure• VerifytheComplianceOfficerhastheindependentauthoritytoretainoutsidelegalcounsel• ReviewifthereisscreeningofcomplianceofficermaterialtotheBoardofDirectors
12
• RegularexecutivesessionoftheComplianceOfficerwiththeAuditandComplianceCommitteeoftheBoard
2.28 Credibilityofcomplianceofficer JobDescriptionreview,ongoingtrainingofcomplianceofficer,basiccompetencies,certifications,reportingstructure
2.29Howmuchauthoritydoesthecomplianceofficerhavetostartaworkinggrouptolookatchanges?
• Haveneededchangesbeenmade,andifnot,whynot?• Whatauthoritydoesthecomplianceofficerhaveandhowdoesheorsheexerciseit?• Whereisthecomplianceteamwithregardstoidentifyingworkinggroupstohelpattacka
newcompliancerisk?
2.30Howsupportedthecomplianceofficerfeels • Interviewcomplianceofficer;
• Documentationreview.
2.31
Organizationalperceptionofcomplianceofficerandcorporatecomplianceprogram
Surveyemployeesregarding:• Theirperceptionofthecomplianceofficerrole.• Whethertheyknowwhothecomplianceteamis,howtogettothemand,whattotellthem.• Isthecompliancestaffapproachable?• Arethecompliancestaffsolutionfacilitatorsorlookedatastheorganizationalpoliceforce?
2.32 Complianceproblemsolvingandadequacyofprocess Processreview
Staffing:
2.33
Adequacyofstaffingandresources
• FTEsassignedtocompliancefunction• Reviewcompliancemattersandiftheyhavebeenaddressedtimely.• Reviewandensurepoliciesandproceduresareimplementedandbeingfollowed.• Reviewdocumentationofreportstocommittee(s)andboard.• Assessstatusofworkplanandanydelays.• Ensuredocumentationofriskassessment.• Reviewdocumentationregardingdiscussionsatboardlevelregardingbudget.• Reviewbenchmarkingdatafromsimilarentities.
2.34 Assuranceofstaffing Reviewqualificationsofstaff;ratioofcompliancestafftobusiness,compensationtothebusiness
2.35 Adequacyofcompliancestaffbasedonriskassessment Riskassessmentconsidersthenumberandcompetencyofstaffrequiredtoaddressrisk
13
CompliancePlan:
2.36
Complianceplanassessments
• Documentreview,includingcomplianceplanandpolicies.• Isthereanexternalreviewconductedperiodically?• Whatistheroleofinternalauditwithregardingtocompliance?• Howdoesinternalauditinteractwithcompliance?• Benchmarkprogramwithsimilarsizeswithinthesameindustry
2.37 Complianceplanprocess Auditprocessfordevelopmentoftheannualcomplianceplan.
2.38 Complianceorganization Assessthepositioningandeffectivenessofthecomplianceorganizationstaff,titles,organizationalchart,pay,promotionrecordscomparedtootherareaswithintheorganization
2.39 Documentthatestablishestheauthorityoftheprogram Documentreview,meetingminutesforapproval.
2.40 Perceptionofcomplianceprogram Surveyemployees
Culture:
2.41 Accountability SURVEY-Doesthecompliancedepartmenthaveanimpactonhowyoudoyourjob?(Yes/No/Don'tknow)
2.42 AccuracyandTrustinMonitoring SURVEY:Doyoubelievetheinformationfromyourdepartmentisreportedwithahighdegreeofintegrityandaccuracy?(Yes/No/Don’tknow)
2.43Culture
Conductculturalsurvey(interviews,confidentialsurveys,focusgroups,etc.)andreportfindingstocompliancecommitteeandboard.Reviewminutestoensurereportoutandactionplanestablished.
2.44 Effectivenessofcomplianceprograminthefield Surveyoffieldcompliancepeople
2.45
Whatiscompanydoingtodrivecomplianceculture?
Surveys.• Whatdoescompanyincentivize?• Whatdoesthecompanypromoteandlookdownon?• Iscomplianceprogramtiedtomission,vision,values?
2.46 Employeecommentsfrom“Rounding” Auditthetrackingofwhatemployeesreportwhenproactivelyaskedbycompliancedepartment(orleadership,etc.)andhowthisinformationismanagedandreported.
14
2.47 Measuringeffectivenessofexecutivecommunicationoncompliance Trackon-lineengagement(clicks)andsurveyaudience
Incentives:
2.48 Aligningperformancemanagementsystem(promotionsystem)withethicsandcomplianceobjectives
Auditcriteriaofpromotion,bonusesandassignments
2.49 ComplianceandEthicsRole/participationfordevelopingtheincentivesystem
Haveanoutsideindependentexpertaudittheincentivesystemandcomplianceofficer'sparticipation
2.50 Isincentivesystemconsistentwithcomplianceprogram EmployeeSurvey
PerformanceEvaluations:
2.51 Properalignmentofcomplianceobjectiveswithorganizationalperformanceincentives(promotions/performanceappraisals/bonuses)
• Auditdisciplinaryrecordsandperformanceevaluationsforconsistencywithcompliance• Audit/Reviewofprocessforperformanceincentives(promotions/performance
appraisals/bonuses)criteriatoincludecompliancecomponents
2.52
“Compliance”asaperformanceappraisalelement
• Auditperformanceappraisals.Someoptionsinclude:o Acknowledgmentofnodisciplinaryactiono Educationcompletiono Documentationofpromotionofcompliance
• Aremeritincreasestiedtoperformance?• Doescompletionofcomplianceeducation,promotionofcompliancethroughwords,actions
ornodocumenteddisciplinaryactionand/or,completionofcorrectiveactionplanswithintheduedatesplayaroleintothecalculationofmeritincrease?
• ComplianceispartoftheannualperformanceevaluationandHRknowshowtoevaluateissuesforcompliance
2.53 Managerperformanceevaluations Managershaveopendoorpolicy,communicatecompliancedirectives/initiatives,addresscompliancemattersandeffectivenessisnotedinperformanceevaluation.
2.54 Iscompliancetakenintoaccountinpromotiondecisions?
Reviewpromotionlistsanddocumentationtosupportpromotion.Didtheindividualactivelypromotecompliance?
2.55 OrganizationalRetaliation Trackwhistleblowerpromotion,bonuses,sickdays,disciplinary,correctiveactionmeasuresandexitinterviewoverlongterm
15
RiskAssessments:
2.56 ComplianceResourceknowledgeandcompetence Survey,focusgroupsandinterviews
2.57 Compliancestaffknowledgeofcurrentregulatorychangesandlaws
Documentreviewandinterviews.Reviewcertificatesofattendanceatconferences/othereducationalevents,“tools”usedtokeepcompliancestaffcurrent,compliancebudget(tosupportaccesstocurrentregulatorychangesandlaws).
2.58
Monitoringofregulationsthatimpacttheorganization
Documentandprocessreview,interviews.• Isthereapolicyandprocedure?• Isthereevidencethatregulations,etc.aredisseminatedandimplemented?• Aretheredesignatedindividual(s)thatmonitorlaws,regulations,policiesthatimpact
organization?• Howdotheygettheinformationandwhatdotheydowithittomakesureitgetstotheright
people?
2.59RiskAssessmentCycle • Auditadherencetoriskassessmentcycle
• Annualdocumentedriskassessmenthasbeencommunicatedtooversightcommittee
2.60 Riskbasedworkplanthatcoverscomplianceplanelementswithboardapprovalandregularreportingonthoseprojectstoboard
ComplianceCommitteeandboardminutesreview.
2.61 Workplandevelopmentbasedonriskassessment Processanddocumentreview.
2.62 Prioritizationofriskandconsultationwithapplicableriskpartners(i.e.,legal,HR,IT,riskmanagement,etc.)
Documentationandprocessreview.Isthereariskbasedplan?Howwasitdeveloped?
2.63 Exitinterview Complianceconcernsthatcomeupinexitinterviewsareaddressed
ComplianceWorkPlan:
2.64 Complianceworkplan Audittoensuretheworkplanisdevelopedandimplementedanditisfollowed-throughandoutcomesarereportedtocompliancecommitteeortogoverningbody
16
2.65 Effectivenessofcomplianceprogram Writtenannualworkplanthatincludesminutes
LegalCounsel'sRole:
2.66Roleofcounselincomplianceprocess
Interviewcounselregardingtheirinvolvement.• Whentheyarebroughtintomatters?• Whereiscounselsituatedinrelationtocomplianceofficeronorganizationalchart?
2.67 Existenceandadherencetopolicyoninvolvementoflegalinhandlingmattersunderprivilege Reviewpolicyandsampleareasthatwerereferredtolegalfollowedthepolicy
Other:
2.68 Jobdescriptionsofmanagement Reviewofmanagementjobdescriptions.DomanagershaveconcretecompliancedeliverablesotherthantrainingandabidingbyCodeofConduct?
Element3:ScreeningandEvaluationofEmployees,Physicians,VendorsandotherAgentsA.Assureorganizationhasprocessesinplacetoidentifyanddiscloseconflictsofinterest.B.Assureinclusionofcomplianceobligationsinalljobdescriptions.C.Assureinclusionofcomplianceaccountabilitiesasanelementofperformanceevaluation.D.Verifybackground/sanctionchecksareconductedinaccordancewithapplicablerulesandlaws(e.g.,employment,promotions,credentialing).E.Assurecompliance-sensitiveexitinterviewsoccur.F.Monitorgovernmentsanctionlistsforexcludedindividuals/entities(e.g.,OIG,GSA,SDN,SDGT).G.Verifyduediligenceisconductedonthirdparties(e.g.,consultants,vendors,acquisitions).H.Assurecorrectiveactionistakenbasedonbackground/sanctioncheckfindings.Source:CHCCandidateHandbook:DetailedContentOutline
17
Element3:ScreeningandEvaluationofEmployees,Physicians,VendorsandotherAgents
WhattoMeasure HowtoMeasure
Accountabilityforscreening:
3.1 Theindividual(s)responsibleforexclusionscreeninghasclearaccountabilityforthescreeningfunction.
• Auditthejobdescription,trainingmaterial,orientationmaterial,andannualperformanceevaluationoftheindividual(s)responsibleforexclusionscreeningtoensurethisresponsibilityisclearlyarticulatedandperformanceismeasured.
• Annuallyreview/discusstheexclusionscreeningprocessindividuallywitheachpersonresponsibleforsanctioncheckscreening;reviewthedocumentretentionprocessestoensuredocumentationofthescreeningfunction,responsetofindings,andcorrectiveactionsareadequatelymaintained.
ConflictofInterest:
3.2 Potentialconflictsofinterestaredisclosed. Audittheconflictofinterestdisclosuresforcompletenessandtheextenttowhichthosewhocompletethedisclosureinformation.
3.3 TheorganizationconductseffectiveeducationonConflictofInterest(COI)
• Reviewtrainingmaterialsandinterviewstafftodeterminetheeffectivenessoftheeducation.• Auditcompletedattestationsordisclosurestoensueindividualsaredisclosingconflicts
accordingtoeducationprovided.
Employeeaccountability:
3.4 Theextenttowhichemployeesaremadeawareofcomplianceexpectations.
Conductfocusedinterviewswithemployeesandaudittheperformancereviewprocesstoensurecomplianceexpectationsarewellunderstoodandemployeesareheldaccountablefortheseexpectations.
3.5 Accountabilityforcomplianceisclearlyarticulatedinemployeeperformanceevaluations.
Auditperformanceevaluationstoensurecomplianceobligationsareclearlyarticulatedandperformanceagainsttheserequirementsismeasured.
3.6 Accountabilityforcomplianceisclearlyarticulatedinemployeejobdescriptions.
Auditjobdescriptionstoensurecomplianceobligationsareclearlyarticulated.
18
3.7 Employeesareprovidededucationregardingtheircomplianceobligationsandtheyunderstandtheserequirements.
• Auditemployeeeducationfilestoensureeducationisbeingprovidedaccordingtotheorganizationstrainingplansand/orpoliciesandprocedures.
• Reviewpost-teststoconfirmunderstanding.• Interviewemployeestoconfirmtheirunderstandingoftheircomplianceobligationsand
responsibilities.
Employeedisclosure:
3.8 Theorganizationhasestablishedapolicythatrequiresprospectiveandcurrentemployees,andprospectiveandcurrentvendorstodisclosetotheorganizationiftheyareormaybeexcluded.
• Auditandconductadocumentreviewtoensuredisclosurerequirementsareclearlyarticulatedinthepolicyanddisclosuresarebeingmadeasrequired.
• Conductapolicyreviewtoensurethatthatimmediatereportingisarequirementforemployeesandaprovisioninvendoragreements.
Employeescreening:
3.9 Allemployeesarescreenedpriortohire. Audithumanresourcefilestoensuredocumentationsupportsthatnewlyhiredemployeeswerescreenedpriortotheirfirstdayworked.
3.10 Screeningconsidersothernames/aliasandStatesusedbyaprospectiveemployee.
Reviewapplicationsforeachtypeofscreening(criminal,OIG,SAM,State,SSN,etc.)andaudittodetermineifscreeningwascompletedagainstothernames/statesusedbytheprospectiveemployee.
3.11 Theorganizationhasdefinedwhichemployees,vendors,medicalstaff,andotherswillundergocriminal,financialand/orotherbackgroundcheckspriortohire.
• Performassessment/audittoensuretheorganizationhadidentifiedwhichindividualsreceivecriminal,financial,SocialSecuritytrace,drugscreening,orotherbackgroundchecks.
• Audittoensuresuchbackgroundchecksarebeingperformedandreviewedpriortoemployment.
3.12 Theorganizationhasdefinedcriteriaforreviewofcriminal,financial,and/orotherbackgroundchecksandhiringdecisionaremadebasedonthisestablishedcriteria.
Performassessment/audittoensuretheorganizationhasestablishedcriteriatoevaluatetheacceptabilityofacandidatebasedonfindingsofcriminal,financial,orotherbackgroundcheck(s)usedbytheorganization.
3.13 Employeesareprovidededucationregardingtheorganization’sscreeningprocess.
Interviewemployeesandconductdocumentationreviewstoconfirmthatemployeesunderstandtheimportanceofnotlettinglicensesexpireandtheeffectofexclusion.
19
3.14 Theorganizationensuresthatapplicantsforemploymentunderstanddisclosurerequirements.
Reviewemploymentapplicationstoensuredisclosureismadetoprospectiveemployees,includingexclusionandbackgroundscreeningrequirements,andthesescreeningsarecompleted.
3.15 Theorganizationhasestablishedapolicyregardingthefrequencyofscreening.
• Performadocumentreviewtoensurethefrequencyofscreeningisbeingdoneinaccordancewithpolicy.
• Auditthescreeningprocesstoensurescreeningisbeingcompletedaccordingtopolicy.
3.16 Theorganizationhasestablishedsufficientcontrolsinthehiringprocessandvendorengagementprocesstopreventtheorganizationfromhiringanineligibleindividualorentity.
• Audit,performdocumentreview,interviewsstaffandvendors,andconductdataminingtodetermineifsufficientcontrolsareinplacetopreventtheorganizationfromhiringan“ineligible”individualorentity.
• Usedata-miningtocomparelistsofnewemployeeswithduediligencelists.
• Ensurethevendormasterfileisupdatedwithvendorsthathavebeenscreened.
3.17 Theorganizationhasestablishedascreeningprogramthatisconsistentwithalllawsandregulations.
Conductalegalreviewandanalysisofscreeningprocesstoensureitisbeingadministeredinamannerconsistentwithfederalandstatelaws.
3.18 Theorganizationhasestablishedaprocesstoscreenemployeesandotherrelevantindividualsatleastmonthly.
Auditscreeningprocesstoensurescreeningofemployeesandotherrelevantindividualsisbeingconductedatleastmonthlyandaccordingtopolicy.
3.19 Theorganizationhasestablishedapolicyandprocedurewhichdefinesthescreeningrequirementsforemployees,vendors,medicalstaffandothers.
Thepoliciesincludedescriptionofthedatabasesthatindividualswillbescreenedagainstandthefrequencyofscreening.
• Conductadocumentreviewtoverifythepolicyandprocedurehasbeenestablished,iscomplete,andaudittoensurescreeningisbeingconductedconsistentwithpolicy.
• Performassessment/audittoensureorganizationhasidentifiedwhichliststocheckandhowofteneachischeckedandthescreeningsarebeingcheckedperpolicy.
• Performassessment/audittoensureallrelevanttypesofindividualsandentities(employees,temps,vendors,etc.)arebeingscreenedperpolicy.
3.20 Theorganizationhasaprocesstodeterminewhenadditionalscreeningmaybenecessarybasedonfindingsfromcomplianceinvestigations.(Relevantevent(situational)screening(R.E.S.))
Conductareviewofcomplianceinvestigationfilestodetermineifconsiderationforadditionalscreeningiswarrantedandreviewtheresultsofadditionalscreeningcompletedaspartoftheinvestigationprocess(situational)whenapplicable
20
3.21 Theorganizationhasapolicyandprocedurewhicharticulatestheprocessforscreening,investigationofpotential“hits,”actionstakeninresponsetoapositivefinding,trackingexclusions,andcommunicationtoappropriatestakeholders.
Conductdocumentationreviewandaudittoensurescreeningisbeingcompletedaccordingtopolicyrequirementsandthatallprocesselementsrelatedtoinvestigation,resolution,tracking,andcommunicationarebeingmanagedaccordingtopolicyrequirements.
ExitInterviews:
3.22 Employeeawarenessoforganization’scomplianceprogram.
Revieworganization’semployeeterminationprocesssuchasexitinterviews,surveys,and/orquestionnairestotestforemployeeawarenessoftheorganization’scomplianceprogram.
3.23 Employeeexitinterviewsareconductedandemployeesareaskedaboutthecomplianceprogramandanyconcerns,risks,violationsorfailuresofthecomplianceprogram.
• Revieworganization’semployeeterminationprocesssuchasexitinterviews,surveys,and/orquestionnairestoensurecomplianceprogramquestionsareincorporatedintoexitinterviewsandtheexitinterviewsarereviewedandevaluated.
• Audittoensureallterminated/separatingemployeeshavecompletedanexitinterviewandthatcompliancequestionsareincludedandevaluated.
3.24 Vendorsandother3rdpartiesareinterviewedattheterminationoftheengagementandaskedabouttheirawarenessofthecomplianceprogramandanyconcerns,risks,violations,orfailuresofthecomplianceprogram.
Revieworganization’svendortermination/off-boardingprocesssuchasinterviews,surveys,and/orquestionnairestoensurecomplianceprogramquestionsareincorporatedintotheprocessandinterviews/resultsarereviewedandevaluated.
3.25 Theorganizationhasestablishedapolicyandprocedureforconductingexitinterviewsforemployeesleavingtheorganization.Theexitinterviewprocessincludesquestionsrelatedtocomplianceobligationsandanyknownviolationsoflaw,policies,orprocedures.
Reviewpolicyandproceduretoensuretheorganizationhasanestablishedprocess.Auditexitinterviewfilestoensureinterviewsarebeingconductedaccordingtopolicy.Reviewtoensurethatanyidentifiedviolationsoflaw,policyorprocedurearethoroughlyinvestigated.
HighRiskScreening:
3.26 Theorganizationhasestablishedapolicyidentifyinghighriskpositionsintheorganizationthatmayrequireadditionalscreening.
Conductpolicyreviewtoensurehighriskpositions(e.g.,cliniciansworkingwithchildrenormentalhealth,cashhandlers)areidentifiedinpolicy,andthepolicyincludesadescriptionofany
21
additionalscreeningrequirements(fingerprinting,financialbackgroundchecks,etc.).Reviewemploymentandvendorfilestoensuretheadditionalscreeningisoccurringaccordingtopolicy.
Licensure:
3.27 Theorganizationhasaprocesstoensurethatindividualswhotransferpositionswithintheorganizationareappropriatelylicensedandcredentialedforthejobtheywillbeperforming.
Auditandconductadocumentreview,audittoensureaprocessforexaminationoflicensesandcredentialsisestablishedforemployeestransferringpositionswithintheorganization.Audittoconfirmprocessisbeingfollowedandindividualstransferredhaveappropriatelicenseandcredentialsforthepositiontheyareassuming.
3.28 Theorganizationhasestablishedapolicyandprocedureforlicensureandcertificationreviews,includingreviewuponhire,upontransfer,andduringrenewalperiods.
Performdocumentreviewandaudittoensureapolicyforverificationandreviewoflicenseandcertification,includingsourceverification,existsandlicensesandcertificationsareconsistentlyreviewedaccordingtopolicy.
ResponsetoExclusion:
3.29 Appropriateactionistakeninresponsetopotentialandidentifiedexclusion
Audittoensurerefundsareinitiatedifrequiredandemployment,contract,ormedicalstaffactionistakenupondiscovery(includingvendors).
ResponsetoScreening:
3.30 Theorganizationtakesactionontheresultsofscreening.
Performadocumentreviewtoensurescreeningresultsarebeingevaluatedandappropriateactionistakenwherenecessary.
3.31 Theorganizationhasestablishedaprocessforinvestigationandresolutionofpositive"hits."
Auditprocesstoensure“hits”areinvestigatedandthatfalsepositivesareresolvedwhenthereisconfirmationthattheindividualdoesnotmatchtheexcludedindividual.
3.32 Theorganizationhasapolicyandprocedureinplacethatarticulateshowpotentialsanctionswillbeevaluatedandresolved.
Conductdocumentandprocessreviewandauditrecentidentifiedsanctionstoensuretheevaluationandresolutionisconsistentwithpolicy.
Vendor:
3.33 Vendorsandother3rdpartiesadequatelysatisfycomplianceobligations
Conductauditofvendorsandother3rdpartiestoensuretheyhavedocumentedevidenceofrequiredcompliancetraining,orientationtotheorganizationsStandardsofConduct,orientationtoapplicablecompliancepoliciesandprocedures.
22
3.34 Theorganizationhasestablishedaprocesstoensurevendorandotherthirdpartyagreementsaremanagedconsistentwiththetermsoftheagreement.
Conductadocumentreviewandinterviewstoensurethereiscommunicationbetweenlawyerswhodeveloptheagreementsandfacilitylevelpersonnelmanagingtheengagementtomakesureitisimplementedandbeingmanagedaccordingtothetermsoftheagreement.
3.35 Theorganizationrequiresvendorsandotherthirdpartiestocertifyscreeninghasbeencompletedasrequiredbytheagreement.
Audittodeterminethatvendorsrespondtorequestforcertification.Reviewprocesstodeterminethatactionstakenforfailuretorespondorproviderequiredcertificationsareconsistentwiththeagreement.Ensurethatresponsetocertificationisreviewedbyanappropriateindividualandcommunicatedtofacilityoperations.Audittoensurethatrenewaldecisionsconsidercompliancewithcertificationrequirements.
3.36 Theorganizationhasestablishedapolicyoutliningthecomplianceobligationsofvendorsandotherthirdparties(includingadherencetotheStandardsofConduct).Vendoragreementsincludetherighttoauditthevendortoensurecompliancewiththeirobligations.
Conductdocumentreviewandperformauditstoensurevendorsmeetthecomplianceobligationsrequired.
3.37 Theorganizationhasestablishedapolicyprohibitingvendorsthatareexcludedfromworkingintheorganization.
Auditexclusionstoensurepolicyisbeingadheredto.
VendorScreening:
3.38 Vendorsandother3rdpartiesareadequatelyscreenedforexclusion.
• Auditvendorrecordsandcrosschecktoensurethevendorisadequatelyscreened,inaccordancewithagreementand/orentityrequirements.
• Developchecklistofcriteriaforvendorcompliancereviewandauditagainstthatlistforvendorscreeningrequirements.
• Surveypeerorganizationstoensuretheorganization’svendorand3rdpartyscreeningprocessisconsistentwithindustrypractice.
3.39
Theorganizationhasaneffectiveprocesstoreviewthirdpartyvendors. Auditandconductadocumentreviewtoensure:
• Thirdpartycontractsallowfororganizationtoreviewvendorfilesforcompliancewithscreeningrequirements.
23
• Theorganizationhasrequestedthethirdparty’spolicyandprocedurerelatedtovendorscreeningofemployees.
• Theorganizationconductsreviewsofthirdpartycontracts.
• Theorganizationhasestablishedapolicyonhowoftenscreeningsarerequiredtobedonebythethirdparty.
• Theorganizationhasestablishedapolicyrequiringthirdpartiestoproduceproofthattheyarecheckingtheiremployees.
• Theorganizationhasestablishedapolicyestablishingwhichdatabasesthirdpartiesarechecking,especiallyregardingpractitioners,includinggeographicspecifics(statedatabases).
• Theorganizationhasestablishedaprocessforindependentevaluationofwhatscreeningthevendorissupplying.
3.40 Theorganizationhasrequirements,viapolicyorcontractualterms,forscreeningoffirst-tier,downstreamandrelatedentities(contractors)
Audittoverityevidencethatcontractorsarebeingscreenedpursuanttocontractualrequirements.
Element4:Communication,Education,andTrainingonComplianceIssues A.Disseminateregulatoryguidancematerial.B.Communicatecomplianceinformationthroughouttheorganization.C.Assurecompliancetrainingoccurs.D.Distillcomplexlawsandregulationsintoaformatemployeescanunderstand.E.Assureworkforcestaffareeducatedoncompliancepolicies.F.Assureamechanismexiststoevaluateemployeeunderstandingofcomplianceresponsibilities.G.Promoteacultureofcompliancethroughouttheorganization.H.Encourageemployeestoseekguidanceandclarificationwhenindoubt.I.Participateincontinuingeducationtomaintainprofessionalcompetence.J.Verifyparticipationinongoingcompliancetrainingprogramsistracked.K.Assuregeneralcompliancetrainingisconductedforallemployees,physicians,vendors,andotheragents.L.Assurerisk-specifictrainingisconductedfortargetedemployees.M.ProvideHRandmanagementwithtrainingtorecognizecomplianceriskassociatedwithemployeemisconduct.Source:CHCCandidateHandbook:DetailedContentOutline
24
Element4:Communication,Education,andTrainingonComplianceIssues
WhattoMeasure HowtoMeasure
Training:
4.1
Theorganizationprovidesriskareaspecifictrainingtoemployeesdesignatedtobeinhighriskpositions.
• Audittoensuretheorganizationhasdesignatedthepositionsdeemedtobehighrisk(coding,billing,physicians,etc.)andestablishedtrainingrequirementsforthesehighriskpositions.
• Comparerisksposedbythesepositionsagainsttrainingmaterialstoensurespecificrisksareaddressed.
• Audithighrisktrainingcompletionrates.
4.2Theorganizationhasestablishedacompliancetrainingplan.Theorganizationassuresthattrainingiscompletedaccordingtotheestablishedplan.Thetrainingplanisperiodicallyupdatedorrefreshed.
• Conductdocumentreviewtoensurethetrainingplanexistsandincludesrequiredtraining,expectedaudience,topicscovered,andmethodfordeployment.
• Auditsign-insheetsorothertrackingtoolstoensureindividualsareattendingrequiredtraining.
• Reviewtoensuretrainingplanisperiodicallyupdated.
4.3Theorganizationdefinestheappropriateaudienceforeachtypeofcompliancetraining(general,issuespecific,highrisk,etc.).
• Auditjobcodestoensurethecorrecttraininghasbeenassigned.• Reviewjobcodestoensuretraining,includingjobspecificjobtrainingisbeingconducted
accordingtotheestablishedtrainingplan.
4.4TheorganizationoffersCEU’s,whenappropriate,foritscomplianceeducationandtraining.
• PerformadocumentationreviewtodeterminetheextenttowhichtheorganizationoffersCEUsforcompliancetraining.
• EvaluatetheeffectofofferingCEUsontrainingcompletionrates.
4.5 Theorganizationhasestablishedaprocess,policyand/orproceduretocommunicateandprovidetrainingtoemployeesonnewlaws,regulations,policies,andprocedures.
Conductadocumentreviewtoensureaprocessforcommunicatingandtrainingemployeesonnewlaws,regulations,policies,andprocedureshasbeenestablishedandsuchcommunicationandtrainingisbeingconductedconsistentwiththeestablishedprocess.
4.6 Theorganizationhasestablishedapolicyrequiringcompliancetrainingandeducation.Theorganization
• Conductadocumentreviewtoensureapolicyhasbeenestablishedanditisperiodicallyupdated.
25
regularlyupdatestheeducationpolicyandmonitorscompliancewithtrainingrequirements.
• Confirmbyauditthatemployeesarecompletingeducationalrequirementsaccordingtothepolicy.
4.7Complianceeducation/informationisincludedinalleducationdeployedthroughoutorganization.
Conductadocumentationreviewtoverifythatatleastonecompliancerelatedtopic/slideisincludedineveryeducationalpresentation,program,ormoduledeployedthroughouttheorganization.
4.8 Theorganizationbasestrainingforindividualswhoaredesignatedtobeinhigh-riskpositionsonaformalprocessforassessingriskandevaluatingcontrolvulnerabilities.Theorganizationdevelopsissue-specifictrainingbasedontheresultsoftheriskassessmentandidentifiedinternalcontrolweaknesses.
• Conductareviewoftheprocesstheorganizationhasforassessingriskandevaluatingcontrolweaknesses.
• Reviewthetrainingplanandtrainingmaterialstoensurethetrainingaddressesthoseissuesthatareofsignificantriskandthattheorganizationmaybevulnerableto.
4.9Theorganizationhascreatedtheircompliancetrainingprogramaroundjobfamiliestoaddressspecificrisksidentifiedwithinajobfamily.
• Auditthecompliancetrainingprogramtodetermineiftrainingistailoredtotherisksidentifiedandassociatedwithspecificjobfamilies.
• Audittoensuretrainingisassignedbasedonjobfamilies.
4.10
Theorganizationevaluatespolicyandcompliancefailuresandprovidesre-educationtoapplicablestaff.
• Auditfilesofknownpolicyorcompliancefailurestoensurere-trainingisconsideredaspartofcorrectiveaction.
• Audittoensurethere-trainingiscompleted.• Trackforreoccurrencestodeterminetheeffectivenessofthere-trainingandemployee
understanding.
4.11 Theorganizationtracksdisclosurereports(hotlinecalls,directcontactstothecompliancedepartment)followingemployeeeducationtodeterminetheextenttowhichtheeducationwaseffectiveatraisingemployeeawarenessofspecificareasofvulnerability.
• Monitor,auditandreviewdisclosuretrackinglogstoevaluatetheeffectofeducationondisclosures.
• Trackhowemployeesbecomeawareofissuestoanalyzetheeffecttraininghasonemployeeawarenessandreporting.
4.12
Theorganizationmaintainsdocumentationofalleducationprovided.
• Conductdocumentreviewandaudittoensureallcompliancerelatededucationisdocumented,includingmaterialcovered,attendees,anddeploymentmethod.
• Audittoensuredocumentationofpost-trainingtestsismaintainedtoevaluateemployeelevelofunderstanding.
26
4.13 Theorganizationstrainingplanisregularlyupdatedtoaddressnewlawsandregulations.
Obtainfromcounsellistofnewlawsandregulationsandauditagainsttrainingplantoensurenewlawsareadequatelyaddressed.
4.14
Theorganizationhasconsideredthemosteffectivemethodforcomplianceeducationdeployment.
• Reviewthetrainingplantoensuretheorganizationhasconsideredthemosteffectivemethodofdisseminatingtrainingtoemployees,medicalstaff,contractors,leadership,Board,andothers(on-line,written,in-person,smallorlargegroup,etc.).
• Audittrainingrecordstodetermineiftraininghasbeendeployedaccordingtoplan.
4.15Theorganizationhasestablishedaformalmethodfororientingnewemployeestothecomplianceprogramandtheirobligationsandresponsibilities.
• Audittoensureemployeeshavereceivedtheircomplianceorientationconsistentwiththeorientationpolicy.
• Reviewnames,datesandmaterialsusedtoorientnewemployeestothecomplianceprogramoverthepast2years
4.16 Theorganizationhasconsideredtheaccessibilityofcomplianceeducationtoindividualswithdisabilitiesorlanguagebarriersandprovideseducationinvariousformatstoaccommodateindividualswithdisabilitiesorlanguagebarriers.
Surveyemployeeswithcommunicationissuesordisabilitiestoensuretheeducationwasaccessibleandunderstandable.
4.17 Employeesoftheorganizationperceivecomplianceeducationasusefulandsufficienttoaddressthecompliancerequirementsintheirjob.
Surveyemployeestounderstandtheirperceptionofcompliancetrainingusefulnessandsufficiency.
4.18Theorganizationhasestablishedamethod(s)toevaluatetheeffectivenessofcomplianceeducation.
• Conductdocumentreviewtodetermineiftheorganizationhasestablishedamethodforevaluatingtheeffectivenessofcompliancetraining.
• Auditincidentlogsandhotlinereportstoevaluatetheeffecttraininghashadonbehavior.
4.19Theorganizationmeasurestheeffectivenessoftrainingthoughtheuseofpost-trainingtestsorevaluations.
• Conductdocumentreviewtoevaluatetheexistenceofpost-trainingtestsorevaluations.• Reviewtoconfirmtheresultsofpost-trainingtestsorevaluationsareevaluatedandtracked.• Reviewtoconfirmmodificationstotrainingmaterialsconsidersfeedbackfrompost-training
testsorevaluations.
4.20 Theorganizationintegratesspecificrisksidentifiedthroughtheriskassessmentprocessintocompliancetraining.
Compareriskassessmenttotrainingplantoensurethehighriskissuesidentifiedareincludedinthetrainingplan.
27
4.21Theorganizationsolicitsfeedbackfromemployeesoncompliancetrainingneeds.Employeerecommendationsareincludedintrainingmodulesdisseminated.
• Conductdocumentreviewtoensureemployeessurveyedfortheirtraining/educationneedsandwhatfeeltheyneedtrainingon.
• Interviewstafftoassesseffectivenessoftrainingplan• Confirmthattrainingconsidersemployeefeedback.
4.22 Theorganizationhasestablishedapolicyregardingthefrequencyofrequiredcompliancetraining.
Audittraininglogstoensurecompliancerelatedtrainingisdisseminatedandcompletedasrequiredbypolicy.
4.23Theorganizationupdatescompliancetrainingbasedonnewpolicies,procedures,processes,laws,andregulations.
• Revieweducationupdateprocess.• Verifyissuesidentifiedthroughtheriskassessment,issuetrackingsystem,andotherinternal
andexternaltrackingsystemsareconsideredandevaluatedastrainingprogramsareupdated.
4.24Theorganizationevaluatestrainingeffectiveness. Conductknowledgesurvey6monthsaftertrainingisdeployed.
Accountability:
4.25 Theorganizationhasestablishedanincentiveprogramthatties,inpart,meetingcomplianceobjectivestoincentivepaymentsandotherperks.
Reviewperformanceevaluationstoensuretheyincludecomplianceelementsaspartofperformance,merit,andincentivereview.
4.26Theorganizationhasestablishedmechanismstoensurethatemployeesareheldaccountablefortheircomplianceobligations.
• Reviewjobdescriptionsandperformanceevaluationsforspecificcompliancemetrics.• ReviewStandardsofConductandotherawarenessinformationtoensurecompliance
obligationsareclearlyarticulated,includingtherequirementtoreportcomplianceconcerns.
4.27 Theorganizationhasamechanisminplacetoevaluatetheextenttowhichemployeesunderstandtheircomplianceresponsibilities.
Surveyemployeestotesttheirunderstandingoftheircomplianceobligationsandresponsibilities.
4.28 TheorganizationholdsmanagementemployeesaccountableforensuringtheiremployeesunderstandtheStandardsofConductandcompliancerelatedresponsibilities
Reviewdepartmentmeetingminutesandconductrandomstaffinterviewstodetermineiffirst-linemanagersdiscusscomplianceobligationswiththeirdirectreportsandthatstaffunderstandspecificcompliancerequirementsassociatedwiththeirjob.
28
4.29 Theorganizationhasestablishedapolicyregardingsanctionsforthoseemployeeswhodon’tcompleterequiredcompliancetrainingandsanctionsemployeesaccordingtotheestablishedguidelines.
• Documentreviewandaudittoensureapolicyexistsrelatedtosanctionsforfailuretocompletecompliancetraining.
• Audittoensurepolicyisbeingfollowedasdescribed.
Awareness:
4.30 Employeesareawareofandunderstandtheorganization’scomplianceprogramandunderstandtheirresponsibilitiesundertheprogram.
Surveyemployees.
4.31 TheorganizationpromotescompliancethroughactivitiessuchasComplianceAwarenessWeek,ComplianceFairs,orotheremployeeinvolvementactivities.
Reviewifandhowtheorganizationengagesinactivitiesdesignedtopromotecomplianceawareness.
Board:
4.32 TheorganizationhasestablishedspecificcompliancecompetenciesformembersoftheBoardCompositionandappropriategoverningcommittees.
PerformadocumentreviewtoensuresufficientcompliancecompetenciesexistwithintheBoardandappropriategoverningcommitteemembership.
4.33TheorganizationhasestablishedaformalprogramtoorientnewBoardmembersandseniorleaderstothecomplianceprogramandtheirobligationsandresponsibilities.
• ConductdocumentreviewtodetermineiftheorganizationhasformalizedacomplianceorientationprogramfornewexecutivesandnewBoardmembers.
• Conductanaudittoensureorientationisprovidedasrequiredbytheorientationpolicy.• Reviewnames,datesandmaterialsusedtoorientnewmembersoftheBoardofDirectors
andseniorleaderstothecomplianceprogramoverthepast2years.
4.34 Theorganization’strainingplanprovidesforspecificeducationthatwillbeprovidedtotheBoardandseniorexecutives.Theplanincludesthetopicsthatwillbecovered,thefrequencyoftraining,includescurrentindustrydevelopmentsandresources,andprovideseducationontheirresponsibilitiesforcompliance.
ReviewtrainingmaterialsprovidedtotheBoardandseniorexecutivesandconductpersonalinterviewstoensuretrainingisprovidedpursuanttotheplanandthelevelofunderstandingofthematerialpresented.
29
4.35Theorganizationprovidesseniorleadershipandboardmembercomplianceeducationandtheyadjuststrategyandoperationsinresponsetothetrainingandotherinformationprovidedtothem.
• Conductadocumentreviewtodeterminetheresponses/questionsposedbyseniorleadersandBoardmembersaftertraining.
• Evaluateeffectoftrainingontheorganization’soperationsandstrategy.• TrackquestionsposedbyseniorleadersandBoardmemberstodeterminelevelof
understandingofmaterialpresented.
Communication:
4.36 Theorganization’sperformanceappraisalsandjobdescriptionsincludetherequirementforemployeestopromotecompliance.Employeesatalllevelsoftheorganizationcananddoarticulatethecompliance/ethicsmessage.Thereisarequirementthatmanagersinsertcompliancemessagesintomeetingsandothercommunicationswithstaff.
Performadocumentreview,conductemployeepersonalfileaudits,andintervieworsurveyemployeestoensuretheorganization’scomplianceprogram,includingexpectationsandresponsibilitiesareformallyandinformallycommunicatedtotheemployeepopulation.
4.37
Acomplianceprogramcommunicationplanisdevelopedandimplemented.
• Reviewtheorganization’scommunicationplantoensuretheplanaddresseskeymessagingforemployees.
• Conductfocusgroupdiscussionsandsurveyemployeesontheeffectivenessofthismessaging.
4.38 Thecompliancedepartment/staffregularlypresentcomplianceprograminformationandupdatesatstaffmeetings,otherdepartmentmeetings,boardmeetings,townhalls,andotherforums.
• Conductadocumentreviewtoensurethecompliancedepartment/staffregularlyprovideupdatestotheorganizationandisavisiblepresenceatvariousmeetings.
• Confirmtheorganizationdocumentsandtracksallsuchpresentations.
4.39Theorganizationrequirescompliancerepresentativestobepresentateveryseniormanagementandgovernance-levelmeeting.
• Conductadocumentationreviewtoverifythereisanexpectationforcompliancetoberepresentedatallseniormanagementandgovernance-levelmeeting.
• Confirmbyauditthatacompliancerepresentativehasattendedallsuchmeetings.
4.40Theorganizationprovidescomplianceinformation,training,andupdatesinamannerthatisunderstandableforemployees(readinglevel,languages,casestudies,verbalcommunication)
• Surveyemployeestodeterminetheeffectivenessandlevelofunderstandingbyemployeestothematerialpresented.
• Conductpost-trainingevaluations.• Reviewandtrackquestionsanddisclosuresmadefollowingthedisseminationofinformation
andeducation.
30
4.41 Theorganizationensuresthereisadequatetwo-waycommunicationbetweenthecompliancedepartmentstaffandemployeessuchasperiodiccheck-inswithemployeesandfollow-upwithemployeeswhoreportconcerns.
Surveyemployeestodetermine:
• theirperceptionofhowaccessiblethecompliancestaffis,• iftheyknowtoreportconcerns,and• iftheybelievetheirconcernsaretakenseriouslyandareadequatelyaddressed.
Competency:
4.42 Theorganizationhasdefinedthecompetenciesrequiredforthecompliancestaffincludingrequirementsforcertificationorotherspecificskills/expertise.
Reviewjobdescriptionsandpersonnelfilesforallcompliancestafftoensurespecificcompliancecompetenciesandcertificationrequirementsaredesignatedandthestaffpossesstherequiredcompetencies/certifications.
4.43
Theorganizationrequiresallcompliancestafftomaintaintheircompetencybyattendingappropriateeducationalsessions.
• Conductadocumentationreviewtoverifythatrequirementsforcompliancestaffeducation,includingprofessionaldevelopment,areestablished.
• Audittoverifythatcompliancestaffattendeducationasrequired.• Reviewcompliancedepartmentbudgettoensuresufficientresourcesaredevotedto
providingappropriateeducation(includingconferences)tothecompliancestaff.
4.44Theorganizationprovidesfocusededucationtocompliancestaffmemberstoensuretheyarecompetentinevaluatingandinvestigatingissues.
• Conductdocumentreviewtoevaluatetheeducationprovidedtocompliancestaff.• Reviewtoensurecompliancestaffbeingtrainedonconductinginternalinvestigations,audits,
performingriskassessments,vulnerabilityanalysis,etc.
4.45Developmentplanforcompliancestaff Reviewdocumentationofdevelopmentplanandmonitortoensurethatplanrequirementsare
completedannuallyorasotherwisespecifiedintheplan
Culture:
4.46
Theorganizationhasestablishedacultureofcompliance.
• Surveyallemployeestodeterminetheextenttowhichemployeesbelievethereisacultureofcomplianceintheorganizationandemployeeunderstandingofthecomplianceculture.
• Reviewtheorganization’scompliancetrainingmaterialtodetermineifscenariobasedtrainingand/orotherinteractivetrainingmethodsareusedtopromoteunderstanding.
Incentives:
31
4.47 Theorganizationhasestablishedmethodsfor
rewardingandrecognizingemployeesforcomplianceactivities.
Reviewincentive,rewards,andrecognitionsprogramstoensuresuccessfulachievementofcompliancemetricsareconsideredwhenrecognizingandrewardingemployeesandleadership.
VendorsandVolunteers:
4.48
Theorganizationhasestablishedthetrainingrequirementsforvendors.
• Conductdocumentreviewtoensuretheorganizationhasestablishedtrainingrequirementsforvendors.
• Reviewfilestoensurevendorshavecompletedtrainingasrequired.• Conductsitevisitstoreviewvendoremployeecompletionofrequirededucation.
4.49 Theorganizationhasestablishedthecompliance
trainingrequirementsforvolunteers.• Conductdocumentreviewtoensuretheorganizationhasestablishedtrainingrequirements
forvolunteers.• Reviewfilestoensurevolunteershavecompletedtrainingasrequired.
Element5:Monitoring,Auditing,andInternalReportingSystemsA.Protectanonymityandconfidentialitywithinlegalandpracticallimits.B.Publicizethereportingsystemtoallworkforcemembers,vendors,andagents.C.Assuremonitoringoccursforviolationsoflawsandregulations.D.Conductorganizationalriskassessments.E.Developworkplanbasedonriskassessment.F.Maintainreportingsystem(s)toenableemployeestoreportanynoncompliance(e.g.,hotline).G.Respondtocomplianceconcernsexpressedbyemployeesthroughinternalreporting.H.Assuretheexistenceofproceduresformonitoringadherencetocompliancepoliciesandprocedures.I.Conductcomplianceaudits.J.Analyzecomplianceauditresults(e.g.,track,trend,benchmark).K.Developanannualcomplianceauditplan.L.Evaluateresultsofauditsconductedbyexternalentities.M.Monitorthatretaliationforreportingcomplianceconcernshasnotoccurred.N.Recognizeneedforattorneyconsultationintheauditing/monitoringprocess.O.Employauditingmethodologiesthatareobjectiveandindependent.P.Determinesamplingmethodologyconsistentwithcircumstances.Q.Assureatimelyresponseismadetoreportedcomplianceconcerns.
32
R.Monitormanagement’simplementationofcorrectiveactionplans.S.Providetimelyfeedbacktomanagementoncomplianceconcernsbasedonauditresults.Source:CHCCandidateHandbook:DetailedContentOutline
Element5:Monitoring,Auditing,andInternalReportingSystems
WhattoMeasure HowtoMeasure
ReportingSystem:
5.1 Accessibilityofreportingsystem Interviews.Surveys.Askemployeesandmanagersifthereportingsystemisaccessibletothem.Isitavailableinlanguagesthataremostspokenintheorganization?
5.2Adherenceto60-dayoverpaymentrule Reviewincidenttracker;ensuredaystoopenordaystoclosedonotexceedthattimeframe.Track
effortstoidentify;statusbenchmarksspecificdaystocompletion.
5.3 Trustinthesystem Survey-Doyoufeelyoucanfreelyreportethicsandcomplianceissueswithoutfearofretaliationfrommanagers?(Yes/No/Don'tKnow).
5.4ReportingandInvestigationProcess Reviewexternalbenchmarkingreports(#ofcalls,timeittakestoclosecases,anonymous,etc.).
5.5Reportingsystem–complianceresponsetoreporters
Documentreview.Focusedgroupsandspeakingwithemployeesabouthotline.• Arecallsmadethroughreportingsystemresponsivetoreporters?• Arepoliciesfollowedregardingtheresponsetoreportsreceived?• Arereportsrespondedtoonregularintervalsandupdatedappropriately?
5.6
ReportingSystem:Hotline/Directcontacts
Documentreview,audit.• Arehotlinecallsormattersbroughttotheattentionofthecompliancedepartment
(directcontacts)categorized,trended,andreportedtothecompliancecommitteeandboardlevelcommittee?
• Aretheretracking,trendingandreportingofhowthesemattershavebeenresolved?
5.7 Reportingtocompliance(hotline,reporttothecomplianceofficers,etc.) Reportsreflectcommunicationmethods(call,anonymous,email,direct,etc.)?
33
5.8Thoroughnessofinvestigationfiles Review5investigationfilesforsummaryofissue,interviewsconductedandsummaryof
interviews,investigationsummaryandresults/conclusionandcorrectiveaction(asapplicable).
5.9Timetorespondtoincidentreport Reviewdatereported,dateresponded,dateinvestigationclosed.
5.10
Promotionofreportingsystem
Documentationreview.Interviews,visualwalk-throughs.• Arehotlinepostershanginginconspicuousareas?• Interviewstaff–dotheyknowhowtoreport?• Audituseofreportingsystem(howfrequentlyisitused)?Considerinternalorexternal
reportingbenchmarks.
5.11
Publishedreportingsystem
Survey.• Isthereahotline,complianceofficer?• Howtoreport?• Howtofindinformation?
5.12Demonstrationofaformalcomplianceprogram Documentreview.Isthereidentificationofprioritizationofkeycomplianceindicators;reporting
andescalatingtocomplianceoversightcommittee?
5.13 Documentationtosupportresolutionofreportedmatters. Audit.Documentreview.
5.14
Effectivenessofcompliancedepartment
Documentreview,surveys,interviews,focusgroups.• Isthereareportcardonassociates’comfortlevel?• Dotheyknowwhotogotowithconcerns?• Dotheyknowwhomtotrust?• Istherefollow-through?• Whatisthetrustandintegrityaroundmembersofcompliancedepartment?
5.15 Disciplinefornon-compliance Documentreview,interviews.Monitortoensuredisciplinepoliciesarefollowed.
5.16 EffectivenessofFollow-uptoComplianceConcerns Interview/surveycallerforsatisfactionwithfollow-upofconcern.
5.17CultureSurvey
Documentreview,assessmentofresponses.Doculturesurveysincludequestionssuchas:• Doyouknowhowtoreportconcerns?• Areyouwillingtoreportconcerns?
34
• Doyoutrustthatconcernswillbeaddressedfairlywhenreported?
5.18 Awarenessandeffectivenessofinternalreportingsystem
Reviewsystemuse.Looktomakesureemployees,vendors,contractorscanreport;gaugethelevelofretaliation;individualcomfortofreportingsystems;survey.Conductinterviews.
5.19 Awarenessofthediscipline Survey.
5.20
Hotlinereportingsystem/vendor
Monitor.• Aretestcallsofthesystemconducted?• Arethecallsanswered?• Ifexternalvendor,aretheyfollowingtheorganization’sdocumentednotification
protocol?
5.21
Internalreportingfrombusinesspartners,contractors,etc.
Contractreviewandinterviews.• Iscompliancedepartmentawareofthecontractswithbusinesspartners,contractors,
etc.?• Isthereaninventoryofpartners?• Dotheyknowhowtocontactcompliancedepartmentwithissues?
5.22Investigationresolutionandtimeliness
Documentationreview.• Arereportsclosedtimely?• Aretherecompletionnotesanddatesmattersandsubmittedtoboard?
5.23PresenceofInternalReportingSystem
Reviewpoliciesandproceduresandmechanismsforinternalreporting.Aremattersbeingreportedaccordingtopolicy?Whatshouldbereportedupinregardstocompliance?Checktoseeifithasbeenreportedupappropriately.
5.24 Processofhowaconcernishandled Reviewdocumentationthatreflectsthisprocess;auditcasefilestodemonstratethisdecisionprocesswasfollowed.Isitamanagementissue,legalissue,other?Isthereatriagetree?
5.25 Subordinateconduct Interviews.Documentreviews.Doesorganizationmeasurewhetherlinemanagersaremonitoringtheconductoftheirsubordinates?
5.26 Writtenescalationprocess Documentationreview.Isthereawrittenproceduretodetermineatwhatpointamattermustbereportedtotheboard,committee,orgovernmentagency?
RiskAssessments:
5.27RiskAssessment
Documentation/processreview.• Isthereadocumentedenterprise-wideriskassessment?
35
• Whatistheworkplancreationprocess?• Isinternalauditincluded?• Isafraudriskassessmentconducted?• Isthisinformationusedasabasisforcreatingtheauditingandmonitoringplanorwork
plan?
5.28
RiskAssessmentProcess
Processmapofriskassessmentprocess.• Whoparticipates?• Howaretopicsprioritized?• Whatistheprocess?• Howaremitigationstepsdetermined?• Iseducationprovided?• Howaretheresultsreported?
5.29 Riskbasedwork/auditplan Documentreview.Isthecompliancework/auditplanbasedonadocumentedriskassessmentandisitriskbased?
5.30Follow-uptoRiskAssessment
Reviewprocessforfindingsofriskassessmentandwhetherimplemented;auditormonitorimplementation;auditandmonitorasnecessaryafterimplementationtomitigaterisk(closingtheloop).
5.31 Frequencyofriskassessment,scopeandcoverageandtoolsusedforriskassessment Audittheriskassessmentprocessfortheseareas.
5.32 Informationflowfrombusinessunitstocompliancedepartmentfortheriskassessmentprocess Interviews.
5.33
Internalauditdepartment’srelationshipwithcompliancedepartment
Documentreview,interviews.• Isriskassessmentutilizedtocreateannualauditplan?• Whoparticipatesintheriskassessment?• Arethereroutineinteractionsbetweencomplianceandinternalaudit?• Howmanyinternalaudithoursaredesignatedforcompliancerelatedwork?• Or,howareauditsdelegatedtointernalauditorcomplianceafterriskassessmentis
completed?
5.34 Isauditingandmonitoringbasedonriskareasidentifiedinriskassessmentprocess Reviewriskassessmentprocessandwhatauditsandmonitoringareonworkplans.
36
5.35 Monitoringeffectiveness Documentreview.Isthemonitoringplanlinkedtoriskassessmentstomakesurehighestriskareasarecovered?
5.36
Participationofbusinessleadershipinriskresolution
Verifythatriskreportingisgoingtobusinessleadership;routineinclusionofrisksatcompliancecommittee;assessmentofeffectivefollow-upwhenriskresolutionisoff-track.
MonitoringandAuditingWorkPlan:
5.37
Methodtocreateauditplan
Document/processreview.• Whatinternallyandexternallyareusedtocreatetheriskbasedplan?• Isareviewofsubmittedcorrectiveactionplansincludedinthereviewandplanning
process?
5.38 Auditandmonitoringbasedonriskassessment Documentreviewcomparisonofaudit/monitoringplan.
5.39 Approvalprocessofworkplans ReviewminutesofBoardandComplianceCommitteemeetings.
5.40 Auditingandmonitoringprocess Documentandprocessreview.Howisannualworkplandeveloped?Whoisresponsibleforit?
5.41 Aretheresufficientauditsconducted? Documentationreview.Lookatauditplan,including“adhoc”auditsthatwereunplanned,butconductedinresponsetoamatter.
5.42 Auditinventory Documentreview.Isthereaninventoryofallauditsbeingconductedeitherbyinternalstafforexternalconsultantsintheorganization?
5.43 Compliancedepartmentroleinestablishingauditplan Reviewofauditplanandprocesstoensurecomplianceiskeystakeholderandpartoftheprocess.
5.44 Definedprocesstohireoutsideexpertstoconductaudit/investigationandreview
Reviewpolicyandproceduresandinterviewdecisionmakersontheprocessandcriteriatotriggerthehiringofoutsideexpertstoconductaudit/investigationandreview.
5.45
Completionrateforcomplianceworkplan
Auditordocumentreview.• Weretheitemsontheworkplancompletedbytheduedate?• Ifnot,docompliancecommitteeandboardlevelcommitteeminutesreflectdiscussion
aboutthis?• Ifworkplanwaschanged,istherecompliancecommitteeandboardcommittee
documentationtosupportthis?
37
5.46Periodicreviewsofmonitoringandauditingplan
Documentreview.Ismonitoringandauditingplanreviewedperiodicallyatthecompliancecommitteeandboardlevelcommitteetomakesureitisstillfitforpurposeandfocusedonhigh-riskareasfortheorganization?
5.47 Randomauditingisconductedtoidentifyunknownrisks Portionoftheauditplanisbasedonrandomselection.
5.48 Effectivenessofgiftpolicyandprocedure SurveyongiftpolicyawarenessandauditgiftregistryorsystemforcompliancewithP&P.
AuditProcess:
5.49 Theneedfortheadviceofcounselrelatedtoaudits Reviewofreferralprocesstotrackattorneyreferral.Isorganizationtrackingthatattorneyis
consultedwhenauditfindingsnoteissues?
5.50 Validatetheorganizationisconductingaudits Processreview.
5.51 Auditresultsandactionsinresponsetoauditisreportedtothegoverningbody Reviewofminutes.
5.52 Auditresultsarepartofperformancereportsand/orincentives Documentationreview.
5.53
Authoritytoinitiateaudit
Documentreview.Interviews.Audit.• Istheredocumentationoutliningwhoisauthorizedtoinitiateanaudit,includingthe
engagementofoutsideconsultants?• Howisthisdone?• Howthoroughisit?
5.54 Auditprocess Processreview.Documentationreview.Areauditsdefinedwithissue,scope,objectives,andresources?
5.55 Accountability Createauditreportsforcomplianceauditsidentifyingpurpose,scope,sampleselection(ifapplicable),findings,conclusion,andrecommendations.
5.56 Auditbenchmarks Auditofauditsforbenchmarking-Aretheauditfindingsactionable?
5.57
Complianceauditresults
Processreviewanddocumentreview.• Areauditresultsbeinganalyzed,tracked,trendedandreported?• Forexample,howoftenareeducationorpoliciesandprocedurechangesneeded?• Ismanagement(notcompliance)responsibleforcorrectiveactionplans?
38
• Iscompliancemonitoringcorrectiveactionplanstocompletionandthenconductingfollow-upauditstoensuretheactionsremaininplace?
5.58 Meaningfulnessofaudits Reviewofaudittool.
5.59
Reportresults
Documentationreview.• Howisresolutionofdeficiencydocumented?• Howdoesthedepartmentdocument?Howdoesthedepartmenttrackwhatwas
accomplished(metric:spreadsheet-database)?
5.60
Reportingofauditresults
Processreview.Documentationreview.• Areauditresultsarereportedtooperations?• ComplianceCommittee?• Governingbody?
CorrectiveActionPlans:
5.61 Depthandbreadthofrootcauseanalysis Auditandinterviewprocesstodetermineifproperdepthandbreadthofrootcauseofconcernandproperincorporationintocorrectiveactionplan.
5.62 Accountabilityofcorrectiveaction Reviewagendas,minutesandreportstocompliancecommitteeoncorrectiveactionplans.
5.63 Actionplansinresponsetoanauditfinding Auditofauditstoensureactionplansaredocumented.
5.64 Areidentifiedrefundstracked,documentedandreturnedtimely? Auditandreviewofdocumentationtoensurecheckwentout.
5.65 Auditandinvestigationtrending Validationreviewsofcorrectiveactionplans.Areauditandinvestigationfindingstrackedfortrends?Rootcauseanalysis?Fixforentiresystem?
5.66
CorrectiveActionPlans
Documentreview.Audit.• Isthereadocumentedfollowupprocesstomakesuremanagementhascompleteditems
incorrectiveactionplans?• Werethecorrectiveactionssuccessfulincorrectingthedeficiency?• Arefollowupauditsconductedtoensurecorrectiveactionsdonotlapse?
5.67 Reportingofuntimelycorrectiveactions Validationaudits/follow-upaudits.Ifthereareun-timelycorrectiveactions,aretheyreportedtothecompliancecommitteeandgoverningbody?
5.68 Timelycorrectiveactions(newsafeguards/controls) Audittoensureauditshavecorrectiveactiondocumentedinatimelyfashion.
39
Auditors:
5.69 Auditingtheauditors Hirethirdpartytoauditauditorsorindividualcontributors;validateauditresults.
5.70 Auditorsdevelopauditinstructions Documentreview.Arethereguidelinesinplace?
5.71 Auditorsskillsetandcompetencytoaudittheissue Reviewauditworkproduct,personnelfiles,etc.
5.72 Independence AuditforIndependence-Reviewtoensurenovestedinterestinoutcomes,meetindependencerequirementasdefinedbyyellowbook.
5.73 Processtoevaluateauditorskillsettoensuretherightauditresourcesareselected(internalaudit,outsideauditor,etc.)
Reviewofauditorbackgroundandskillset.
5.74 Standardizationofauditprocess-auditorsapproachauditsinthesameway Auditreviewtomonitorforconsistency.
Non-Retaliation:
5.75 Monitoringforretaliation Exitinterviews/employeesurveys.
5.76 Retaliation Surveys,focusgroups,individualquestioning,exitinterviews.
Vendoroversight:
5.77Vendoroversight
• Reviewvendorcertifications;trackconsequencesforvendorsnotadheringtocomplianceprogram.
• Ensureallvendorcontractsincludeconsistentcompliancelanguage.
40
Element6:DisciplineforNon-Compliance
A.Recommenddisciplinaryactionwhennoncomplianceissubstantiated.B.Promotedisciplineproportionatetoviolation.C.Promotedisciplineconsistentwithpoliciesandprocedures.D.Verifythatdisciplineisenforcedconsistentlythroughoutalllevelsoftheorganization.E.Monitorforconsistentdocumentationofdisciplinaryaction.F.Recommendactionforindividualsandentitiesthathavebeenexcludedfromgovernmentprograms.G.Verifythatcompliance-relatedviolationsareaddressedindisciplinarypolicies.H.Coordinatewithmanagementthattimelydisciplinaryactionistaken.I.Verifythatdisciplinaryactionisreportedtoregulatorybodywhenrequired.Source:CHCCandidateHandbook:DetailedContentOutline
Element6:DisciplineforNon-Compliance
WhattoMeasure HowtoMeasure
Consistency:
6.1
Fairnessandconsistencyindisciplinaryprocess
Sample–audit.• Isthedisciplinaryactionpolicyconsistentlyfollowed?• Doesthecompliancecommitteereviewandmeasurefairnessandconsistencyinpolicy
application?• Auditdisciplinepersonnelfiles–considercreatingpredefineddisciplinematricesand
auditagainstthese.• Interviewonperceptionofdisciplineapplied,surveyonperception.• Isdisciplinaryactioninproportiontomatter?• Isthereconsistencyforsimilarmatters?
6.2
Approachtodeterminingtypeofdisciplinaryaction
ReviewofP&P.• Auditing/testingtodeterminewhetherthereisacommonapproachtoanalyzingthe
disciplineaspectofresolution.• Aretherestepsembeddedintoprotocol?
41
6.3 Complianceofficerinputintodisciplinaryactiondecisions
InterviewCCO,outcomesreview,andaudit.Arecomplianceofficer’srecommendationstakenseriously?
6.4
Decision-makingparties
• Auditpersonnelfiles.• Policyreview.• Isthereadisciplinaryactioncommitteeapproachtoreviewresultsofinvestigationand
previousactionsandtomakedecisions?• Aretheappropriateparties(e.g.Legal,HR,Compliance,etc.)partofdisciplineactiondecision-
makingprocess?
6.5 ThoroughnessofdisciplinaryP&P Reviewcriteriaofincludingcomplianceviolationsandwell-definedsanctionsforconsistentapplicationofdisciplinarypolicies.
6.6 Timelinessofdisciplinaryaction HRauditoffiles.Istimelydisciplineandactioncarriedout?
Awareness:
6.7Understanding Survey-Ispoorperformanceoncomplianceresponsibilitiesgroundsfordisciplinaryaction?
6.8Accuracy Verifyingthatpersoncompletedthecomplianceexpectationsthatwereattestedto.
6.9 Compliancegoals Documentationreview.Isthereconsiderationofcomplianceactivitiesindailyactivities?Reviewperformanceevaluations-Weregoalsaccomplished?
6.10 Complianceincentives Processreview;interviewsofleadershipandstaffinterviews.Whatistheroleofcompliancewhenitisimplemented?
6.11
Incentivepolicy
Documentreview,interviews,andfocusgroups.• Doestheorganizationdistributebadgesforcenters,ordepartmentsforparticipationin
compliancetraining?• Aretherecontestsforcompliancetrainingandpublishingoftestscores?
6.12 Distinctionbetweendisciplinaryactionandnon-retaliation
Interviews,reviewsofpolicies,etc.Assesstheeffectivenessoftheorganizationaldistinctionbetweendisciplineandnon-retaliationandmakesurethereareappropriateprotectionsregardingnon-retaliation.
42
6.13 Educationtoensureemployeesknowexpectations Auditcommunicationsregardingexpectationsanddisciplinepossible.ComparepolicyandStandardsofConducttoensuretheyareclearregardingdisciplinaryaction.
6.14 Employeeawarenessofdisciplinaryactionpolicy Interviews,surveys,etc.Doemployeesunderstandtherearedisciplineconsequencesfornon-compliance?
6.15Employee,vendor,contractorknowledgeofcodeofconductandtheircomplianceresponsibilities
Auditdocumentation.• Doemployees,vendors,andcontractorsknowtheirresponsibilitiesregardingcodeof
conduct?• Dotheysignannualattestations?
6.16 Transparencyregardinglessonslearned Documentreview.Arethelessonslearnedfromdisciplinaryactionconveyedandusedasaneducationaltoolfororganization?
6.17 Culture Survey-Doyoufeelemployeeswhoengageinimproperwork-relatedactivitieswillbecaught?
6.18 Non-retaliationforgoodfaithreporting Reviewdemotions,terminationsandconductemployeesurveys.
6.19 Proactiveeducationonviolationanddiscipline Reviewpolicyandprocedureandeducationandtraining
6.20
Recognitionandappreciation
Focusgroups,interviews.• Arethererecognitionandappreciationprogramsthatdonotincludeincentivizingwith
money?• Forexample,aretherenewsletters,reportstogoverningbody,websiteannouncements
torecognizethoseforexhibitingcomplianceandethicalbehaviorsandactions?
Documentation:
6.21Disciplinetransparency Documentationreview.Arehigh-levelresultsfromdisciplinaryactionpublished(e.g.,#of
terminations,#ofcounseling,#ofsuspensions,and#ofcorrectiveactionplans)?
6.22 Oversight ReviewminutesfornumberofdisciplinaryactionsforcomplianceandHIPAAviolationsinlastyearreportedtotheComplianceCommittee(dashboard)
6.23 Adequatedocumentation Review/auditdisciplinaryfilesforsupportingdocumentationofdisciplinaryaction.
6.24Complianceinbusinessplans
Document,processreview.• Istherealeadershipscorecardthatincludescompliancemetrics?• Aretherecomplianceincentivesbuiltintobusinessplans?
43
6.25 Notificationoflicensingboards HRfileaudit-beforeissueisclosed,isdocumentationpresentandincludedintrackingsystem?
6.26 Policy Documentreview.Audit.Isthereadocumentedpolicyaddressingdisciplinefornon-compliance?
6.27 Policyexceptions Filereviewofexceptions.Areexceptionstracked,documented,andevaluated?Whogetstomakethedecisionregardingexceptions?Isthisprocessdocumented?
6.28
Reportingtoregulatoryauthorities
Audit.Documentreview.• Lookatcriteriaforreportingandtimelinessachieved.• Auditcasesandtrack.• Ensuretimelyreportingtoregulatoryauthoritiesofpotentialviolationsanddisciplineto
demonstrateorganization’scommitmenttocompliance.
6.29 Scopeandinclusionofdisciplinaryactionpertainingtotheculture
Investigatebreadthofdisciplineandinclusion,auditdisciplinaryfiles,andconductinterview.Doesdisciplineincludethosewhoknowaboutitanddidn'treportitorcausedittohappenbutdidnotactuallydoit?
6.30 Scopeofdisciplinaryaction Audittoverify-Aretheredisciplinaryactions/consequencesfornotreporting?
6.31 Systemallowsfordocumentationofcomplianceissues
Document/Systemreview.DoesHRsystemhavemechanismforrecordingandtrackingcomplianceoffenses?
PromotionCriteria:
6.32 PromotionCriteria Reviewifcomplianceconsiderationswereincludedinpromotionprocessandcriteria.
6.33
Seniorexecutiveperformancereviews
Process,documentreview.• Beforepromotion,doescomplianceconductinterviewtoidentifyordiscusscompliance
issues?• Doesheadofcomplianceparticipateinthereviewsofseniorexecutives?• Istheretalkaboutcomplianceinitiativeswithregardstoseniorexecutiveperformance
reviews?
6.34
Performancereviews
Documentreview.• Isthererecognitionofcomplianceeffortsinperformancereviews?• Iscompliancebuiltintotheperformanceevaluationforrewardingemployeesand
disciplinaryaction?
44
Element7:InvestigationsandRemedialMeasuresA. Communicatenoncompliancethroughappropriatechannels.B. Assuredevelopmentofcorrectiveactionplansinresponsetononcompliance.C. Monitortheeffectivenessofcorrectiveactionplansinresponsetononcompliance.D. Assureremedialeffortsareimplementedtoreducerisk.E. Cooperatewithgovernmentinquiriesandinvestigations.F. Investigatemattersrelatedtononcomplianceinafair,objective,anddiscretemanner.G. Assurerecordsaremaintainedoncomplianceinvestigations.H. Participateinnegotiationwithregulatoryagencies.I. Assurethatoverpaymentstopayersarerefundedinatimelymanner.J. Collaboratewithlegalcounselregardingvoluntarydisclosures.K. Coordinateinvestigationstopreserveprivileges,asapplicable.L. Facilitateindependentinvestigationswhennecessary.M. Recommendmodificationofcorrectiveactionplans.N. Recognizeneedforsubjectmatterexperts.O. Assuredocumentsrelevanttoaninvestigationarepreserved.P. Assureinvestigationpersonnelhavethenecessaryskillsets.Q. Instituteimmediatemeasuresasnecessarytomitigateongoingharm.R. Recommendmeasurestoaddresssubstantiatedincidenceofretaliation.Source:CHCCandidateHandbook:DetailedContentOutline
45
Element7:InvestigationsandRemedialMeasures
WhattoMeasure HowtoMeasure
GuidelinesforConductinganInvestigation:
7.1 Theorganizationhasguidelinesestablishedtoensurethorough,credible,andcompleteinvestigationsaredoneinaconsistentmanner
Reviewguidelines,policyandprocedureand/orprotocolonconductinganinvestigation.
7.2 Effectivenessofinvestigativeprocess Reviewprocessforcommonstepstoembedintoaprotocol.Conductabaselinereviewtounderstandwhatthemandatorypartsoftheinvestigationframeworkareandwhatmaychangeduetosituationorcircumstance.• Istheoverallinvestigationprocessdrivenbyapolicyandprocedure,subjectmatterresource
involvement,objectivereviewer?• Istheprocesstransparent(noteverythingplacedunderattorneyclientprivilege)?• Isthereadocumentedinvestigationsprocessorprocedure?• Areinvestigationsbeingconductedconsistentwithwrittenprocedures?• Istheresomethingthattriggersasentinelevent,immediatereporting,theneedforexternal
consultantsorattorneys?• Whatistheapprovalprocess?• Whataretimelineswithregardsto60-dayrule?• Isthereacentralizedprocessforkeepingupwithallinvestigationsinprocess?• Howmuchflexibilityduetosituationorcircumstancesisappropriateandhowmuchneedsto
becontrolled?• Nextyear,istheprocesstightenedupgoingforward?
7.3 Individualaccountabilityaspartofinvestigativeplan. Audit.Documentreview.Interviews.• Isthereabaselineinvestigativeplanthatoutlinescommunicationplanforinterviewing
currentorprioremployees?• Doestheinvestigativeprocessincludespecialattentiontoindividualaccountability?• Isthereinvestigativemappingandoutlinetoaskquestionsaboutwhomaybeintheloopso
compliancecanbesuretheyarenotpartofreportinggroup?• Arethereappropriateprotectionsforpeoplebeinginterviewedandtherepresentationof
organization?
46
• Istheredocumentationthattheindividualisnotgivenassurancesthattherearenorepercussionsforhim/her?
7.4 Typeofdocumentationrequiredforremedialmeasuresandinvestigation
Reviewpoliciesandproceduresonrecordretentionandtypesofdocumentation
ContentofInvestigationFiles:
7.5 Assurerecordsaremaintainedoninvestigation Audittoask:• Isthereapolicyandprocedurefordocumentationthatneedstobemaintained?• Doinvestigativefilesmatchthepolicyrequirements(determinewhatshouldbeinthe
attorneyfileversustheinvestigationfile)?
7.6 Qualityofthedocumentation Assesswhetherthewho,what,whenandhowisansweredineveryinvestigation;samplelogentries
7.7 Assuredocumentsrelevanttoaninvestigationarepreserved
Readwrittenpolicyandprocedureforinvestigationrecords;readinvestigationfilesofHR,compliance,and/orlegaltoconfirmcompliancewithretentionperiod
QualityandConsistencyofInvestigations:
7.8 Qualityandeffectivenessofinvestigations Auditinvestigationstolookat:• qualityofquestionsaskedandcontentconsidered,involvedparties,andreportoutof
findings;• didtheyinvolvetheappropriatepartsoftheorganization;• aretheybroadenough;and• didtheyuseinternalorexternalauditors?
7.9 Thoroughness,timelinessandconsistencyofinvestigationprocessamonginvestigators
Auditinvestigationfiles
7.10 Triageprocess • Auditprocesstoreviewwhetherallegationswereappropriatelyandtimelyhandled• Dryrun,test,mockreport
7.11 ConsistencyofInvestigations Multipleanonymous(mock)reportsondifferentissuestotestprocess
47
7.12 Credibilityofinvestigationandremediationprocesstothirdparties
Demonstratingitbymockpresentation(devil’sadvocate)-roleplayingwhataregulatormightaskregardingtheinvestigationandremediationprocess.
TrackingandTrendingInvestigations
7.13 Investigationcategorizationprocessandtrending Documentationreviewandaudittrackingsystem.Areinvestigationsbeingcategorizedsotheycanbetracked,trendedandreportedtocompliancecommittee,seniormanagementandboard?
7.14 Retainingdocumentationofinvestigationsinrecordsmanagementsystem(tracking,trending,review)
Reviewofdocumentationinsystem
7.15 Documentingwhenissueissubstantiatedornotandreporting/trending
Reviewreports/process
7.16 Compliancelog(logandtrackinvestigations) • Doesalogexist;• Doesithaveinvestigationsandactionstaken;and• Aretheresupportingfilesforeachentrysothattheycanbereportedon(HR,Billing)toreport
thetrends?
EscalationofInvestigations
7.17 Ensureadequateandtimelyescalationofinvestigationoutcomes
Auditsampleofinvestigationfiles
7.18 Significantinvestigationsarereportedtothegoverningbody
Reviewboardminutes,reviewpoliciesrelatedtoboardreportingrequirements.
7.19 Investigationreportingtoseniorleadershipandboard
Documentreview,interviews.Areinvestigationsbeingreportedtoseniorleadershipandtheboard?
CommunicationofInvestigationOutcomes
7.20 Theappropriatecommunicationoftheinvestigationoutcomes(education)
• Conductanassessmentattheconclusionofaninvestigationofadditionalcommunicationtotheorganizationfororganizationallearningandcultureofcompliance
• Documentreviewofmeetingminutesand/orinterimreports.Wereinvestigationsresultsreportedtoseniorleadershipandboard?Howweretheresultscommunicated?
48
• Reviewhowresultsofinternalinvestigationsaresharedwiththeorganization'sgoverningbody,leadershipandrelevantdepartments.
7.21 Culture Surveyforwhetheremployeesbelievethatmanagementand/orthecomplianceofficerfollowsuponreportsofcomplianceconcernsandtakesappropriateactionwhenevernecessary?(Yes/No/Don'tknow)
7.22 Perceptionofinvestigationresultsbyemployeesandstakeholders
Focusgroupsorsurveyofemployees
7.23 Communicatenoncompliancethroughappropriatechannels
Readworkgroupmeetingminutesoremailstodeterminedistributionlistincludesappropriateindividuals(stakeholders,decisionmakers)
TrainingofInvestigators
7.24 Staffwhoconductinternalinvestigationshavetheeducationnecessarytoconductinvestigations
Peerreviewonsimilarorganizations.Reviewofcertificationsandeducationprovided.
7.25 Numberofemployeeswithappropriatecertificationsthatareconductinginvestigations
Reviewlistofinvestigatorsandtheircertifications
7.26 Investigatorshavetheskillset Interviewinvestigatorsandlookatworkproductforfacts
7.27 Training/competencyofinvestigators • Evaluatetrainingtranscripts,trainthemoninvestigationtechniques;• Reviewthetypeoftraininganyoneconductinginvestigationshasreceivedoverthepast2
years
ProfessionalismandCompetencyofinvestigators
7.28 Ensuringinvestigatorsareconductinginvestigationinprofessionalandrespectfulmanner
Interviewsubjects
7.29 Professionalismandeffectivenessofinvestigators Conductandobservemockinterviews
7.30 Strengthandcredibilityofinvestigationprocess Roleplayofinvestigationprocess
7.31 Investigatemattersinafairmatter,objectiveanddiscreetmanner
Peerbenchmarkingtoevaluate:• thetimeitshouldtaketoconductaninvestigation;
49
• whatpeersdotomakesureinvestigationsoccurdiscreetlyandtimely
Independenceofinvestigator
7.32 Objectivityofinvestigator Interviewsbyexternalsourcewithgoaltoensurenointernalorganizationalpressureontheinvestigatorsthatisimproper.
7.33 Assessinguniformityofusingoutsidecontractorsandexpertsintheinvestigationprocess
Reviewpoliciesandproceduresandauditfilesforcompliance
7.34 IndependenceandObjectivityofInvestigation Reviewpoliciesandprocedures,surveyemployeeperception,qualitycontrolprocess,etc.
7.35 Independenceofinvestigation(nointimidationisoccurring)
Workproductandinterviews;qualityofprocess(avoidreportingstructureconflictsofinterest;direct-report)
InvolvementofLegalCounsel
7.36 Coordinatinginvestigationstoprotectprivilegewhennecessary
Auditagainstpoliciesandprocedurestodetermineappropriateattachmentofprivilege
7.37 Collaboratingwithlegal • Lookatworkproducttodeterminequality;• Ensurecomplianceleadstheinvestigation(unlessinvestigationisbeingconductedunder
privilege);• Interviewcomplianceofficerandlegalcounseltodeterminethelevelofcollaboration.
TimelinessofResponse
7.38 Areimmediateactionstakenimmediately Auditinvestigationoutcomestoseeiftimely
7.39 Complianceofficerauthority Interviews,documentreviews.Ifconcernisraisedanditisharmful,managementneedsabilitytoreactimmediatelyevenifitisbeforeinvestigationiscomplete.Doesthecomplianceofficerhavetheabilityandauthoritytostopanaction(e.g.,billing)?
7.40 Timetoinvestigationclosure • Tracktimelinessagainstbenchmarkestablishedbyorganization;• Documentationreview.Islengthtocloseinvestigationsbeingdocumented,tracked,trended
andreported?
50
• Areresolutionactions(e.g.,education,newpolicy/procedure,correctiveactionplan,disclosure,repayment,etc.)beingdocumented,tracked,trendedandreported?
7.41 Timelyprocessingofrefunds,self-disclosures Audit,monitor,documentreviewofinvestigationsthatresultedinrefunds,disclosurestoensuretheywereprocessedinatimelyfashion.
7.42
Self-Disclosureguidelines Documentreview,interviews.• Aretherewrittenguidelinesforself-disclosures?• Dotheyaddressmembersimpacted,informationtobesharedwithregulators?
CorrectiveActionPlans/RemedialMeasures
7.43 Businessleadersareaccountableforfollow-uptoinvestigations
• Verificationthatinvestigativereportissharedwiththoseresponsibleforfollow-up.• ClosurereportsareprovidedtoComplianceCommittee.• Auditpostinvestigationtoensureresolutionismaintained.
7.44 Effectivenessofcorrectiveactions Documentationreviewofcorrectiveactionstimeframesmet,issuesclosedout,effectiveresolution.
7.45 Structure Reviewhowcorrectiveactionplansarecreated
7.46 Validatethatcorrectiveactionplansareappropriate,implementedandeffective
Review3correctiveactionplanstoensureidentifiedallissuesandconductvalidationvisits
7.47 Accountability • Reviewhowcorrectiveactionplansaretracked;• ReviewhowcorrectiveactionplansarereportedtoComplianceExecutiveCommittee
7.48 Ensureremedialmeasureforlikefindingsareconsistentlyimplemented
Audit
7.49 Measuringsufficiencyofcorrectiveactionplansthataredeveloped
Samplecasesthatweresubstantiatedandreviewthecorrespondingcorrectiveactionplanstoensuretheyrespondtoissuesidentifiedininternalandexternalauditsandinvestigations
7.50 Remedialactions-Appropriateremedialactionoccurred
Reviewinvestigationdocumentation,PowerPoint,trainingattestationisinthefile.
51
7.51 Ensureremedialeffortsareestablishedtoreducerisk
Basedontheoutcomeoftheinvestigation;deficiencywasfixed,evidenceitwasfixed,thereareotheritemstoreview(ex.Chargemaster)lookatthedownstreamimpact-employees,systemicissues(beyonddisciplinaryaction)
Rootcauseanalysis
7.52 Conductrootcauseanalysistodetermineiffindingsneedtobeaddressedinotherpartsoftheorganization
Auditdocumentation
7.53 Resolutionofinvestigations Audit.Wasrootcauseresolved?
7.54 Accountability/Structure Obtainalistofadhoccommitteesformedaroundspecificcomplianceissueoverthelast2years
Adherencetonon-retaliationpolicy
7.55 Monitoringhowthereporterfeelsabouthavingreported
Interview
7.56 Ensureconfidentialityofinvestigationprocess Surveyorfocusedgroups,interviewparticipantsininvestigations
7.57 Exitinterviewprocessqueriesforretaliation Reviewofexitinterviewprocess
7.58 Culture:Retaliation Surveys,interviews,exitinterviews.• Isthereapolicystatementinnewemployeeorientation?• Aretherecommunications?• Doemployeesknowhowtoreportpotentialinstances?• Doestheorganizationconductculturesurveys?• Isthereapolicystatementregardingnoobstructionofinvestigation?
7.59 Adherencetonon-retaliationpolicy Surveyparticipatesininvestigationtodetermineiftheyfeltorfearedretaliation
7.60 Substantiatedretaliation Audit
GovernmentInquires/Investigations
52
7.61 Cooperatewithgovernmentinquiries/investigations • Auditcreditreceivedforcooperation;• Readrecordsthatcontaingovernmentcorrespondencewithentity.Reviewandconfirm
appropriateresponsesweresubmittedonorbeforerequesteddate.
7.62 Strategicrelationshipwithregulators Interviews.• Isthereafocusedapproachtobuildingrelationshipswithregulators?• Doesstaffseekoutregulatorsatconferences,etc.tobuildrelationships?
7.63 Mockpresentations
Documentationreview.Interviews.• Doestheorganizationconductmockpresentations(e.g.,in-houseattorney“acts”as
governmententity?• Compliancepresentsadisciplinepartofcomplianceprogramtoin-houseattorneyfor
his/herreviewandcomment.)
MonitoringResults
7.64
Validationthatinvestigationsarecomplete
• Auditing,documentationreview,interviewsafterinvestigationsarecomplete.• Isthereadocumented(3-6-9months)timingintervaltoassesswhether“actionhastraction?”• Isthereaprocesstogobackandprioritizeorverifythatplansorworkunitsarefollowing
throughonrecommendedactions?
7.65 Reviewofinvestigationsinfutureworkplanning • Documentationreview.• Isthereananalysisofinvestigationstohelpinformfutureworkplans?
7.66 Longtermeffectivenessofremedialmeasures Audit-oneyearofremedialmeasureswhereactivemonitoringended6monthspriortovalidatethatremediationstillinplace
7.67 Howlargerlessonscanbeconveyedtotheorganization
COcouldreviewannuallythereportstotheboardorbroadercommunicationstotheentireorganization;revieweducationontrendsandthemes.
AwarenessofInvestigationProcess
7.68Educationoninvestigationsprocess
• Audit,monitortrainingrecordsandeducationalcontent.• Istrainingregardingtheinvestigationsprocessprovidedathireandongoingsoemployees
knowwhattoexpectregardingtheinvestigationsprocess?
7.69 Strategicrelationshipwithriskpartners(i.e.,Legal,HR,riskmanagement,etc.) Interviewriskpartnerstodetermineinteraction,involvement,knowledge.
53
ContractProvisionsregardingInvestigations
7.70 Thirdpartyandnon-employedcliniciancontractstoensuretheyhaveanobligationtocooperateininvestigations.
• Contractreview.• Inventoryofagreementswith3rdpartiesandnon-employedclinicianstomakesurethey
understandtheirobligationtocooperatewithinvestigations.
7.71 Inventoryofrequirementsincontracts Audit.Documentreview.Aretherestandardtermsthatmustbeincludedincontracts?Atemplatecanbeusedtoensureallrequirementsareincontracts.