Gain Support and Commitment
Board of Directors or Board of Trustees Support
The right culture begins with the Board. The Board is the accountable governing body who has the responsibility for overseeing the fiduciary assets and mission of the organization. Support from the top is very important; there can be no program at all, much less an effective one, without the vision and guidance of the board. It is the board that officially recognizes the need for a compliance program and authorizes its launch and implementation, including the hiring of a Compliance Officer. The Federal Sentencing Guidelines are very clear on the expected board commitment. The first step toward implementation of a compliance plan is management’s communication of its commitment. A resolution or memo from the board stating its unequivocal support for the program is a strong beginning. The source of such a statement may be different depending on the organization. In some organizations it might come from the chairman of the board, in others from the CEO. A teaching hospital or medical school may want the statement to come from the dean. Whatever the source, board endorsement should be in a written format; it must communicate unqualified support for and commitment to the compliance process and ethical business behavior; and it must be effectively communicated to everyone. Board oversight responsibilities are outlined in the OIG’s Practical Guidance for Health Care Governing Boards on Compliance Oversight as well as other documents such as Caremark, Sarbanes Oxley Act, etc.
One option is for the Board or CEO to distribute the memo or resolution to all managers. The managers then distribute the document to their managers so that the word trickles down and the message is reinforced that all managers endorse the compliance program. This approach also makes the compliance program directly accessible to staff and gives staff an opportunity to discuss the document in relatively small groups. A special department or unit meeting to discuss the program and distribute the letter can lend weight to the message. Or it can be an agenda item for a regularly scheduled meeting. Whatever the venue, staff should be given ample opportunity to ask questions and offer feedback.
Moreover, the board’s role does not end with voting to establish a compliance program and distributing a letter of support—nor does its responsibility. Ongoing, visible support from the board of directors is crucial. Most people care about what the boss cares about. When the board takes compliance seriously, that sense of importance will trickle down. Your board may need guidance in understanding the seriousness of compliance. They may not immediately recognize that “doing the right thing” contributes to good business, that compliance is a good, long-term investment. The board of directors or board of trustees, meeting infrequently and not always aware of day-to-day operations, can be insulated from problems. But in the case of compliance, the board must understand the implications of not taking active measures to prevent potential wrongdoing. They should be educated about the potential for liability and reminded of the Caremark International Derivative Litigation, which makes the board responsible for implementation of a system to gather information on the company’s efforts to prevent and detect fraud and abuse. It is in the best interest of the organization to have the board take an active rather than a passive role in compliance.
Management buy-in is critical in influencing and making a compliance program work, with support expressed in myriad ways. Compliance officers should spend time with management, including them in investigations, working with them in their development of corrective action plans, and just being available when needed. Attendance at educational programs cannot be mandatory for everyone except managers and vice presidents. Making time to demonstrate a personal commitment goes a long way to enhancing a system-wide commitment. After attending training sessions, managers should discuss the content with staff either at a regular department meeting or as circumstances permit.
Supervisors or managers must also lead by example, as actions speak louder than words. A manager cannot encourage employees to report questionable behavior and then give special treatment to a friend. And once a potential infraction is reported, the non-retaliation policy must be rigorously observed. It is up to management to make sure employees do not hesitate to come forward for fear of retaliation. The cultural tone is set by management and its actions.
Staying on top of compliance issues is a manager’s day-to-day obligation. Managers and supervisors must closely follow news and information from their professional organizations and pass along any and all compliance-related issues to the compliance office. The Compliance Officer is encouraged to be proactive and, from time to time, to ask managers and supervisors what new regulations are developing in their fields.
In the health care setting, the physician plays a key leadership role, so buy-in from physicians will be critical for any compliance program’s success. There will be frequent situations when a physician’s support can make all the difference. It will be to your advantage, therefore, to find a physician champion, someone who understands and supports the mission of the compliance program, someone who will back you up when you need it.
At the risk of generalization, physicians are, as a group, sometimes not enthusiastic about compliance. Physician buy-in has, in fact, been identified as among the top 10 obstacles to implementing an effective compliance program. If physicians seem skeptical, they may have good reason. Managed care has had a profound impact not just on remuneration but also on how medicine is practiced as well. And unless physicians understand what compliance means and how the program works, frustration will lead to opposition. But there are ways to communicate compliance to the physicians:
Discuss both business and clinical aspects of an issue
Emphasize clinical and fiscal improvements
Build trust through involvement
Involve physicians early in the process
Give physicians lots of data
Work one-on-one with them
Cultivate the early adopters and enthusiasts
Be a partner, not a dictator
Communicate, communicate, and communicate.
The earlier you achieve physician buy-in the better. Invite physicians to be members of the compliance committee and actively seek their input throughout the start-up—and beyond. When funding permits, sending a key physician to a compliance conference can provide valuable education as well as increased awareness, which facilitates support. Achieving physician buy-in will be an important challenge, but it is a critical element of launching an effective compliance program.
It isn’t a crime to make a mistake; it is a crime not to do anything about the mistake once it is detected. In launching a compliance program, staff will need to be convinced that looking for problem areas is not the sole responsibility of the compliance office—it is everyone’s job. Education is the first step, but also look for ways to heighten awareness on a day-to-day basis. When launching a compliance program, some organizations will distribute cups or pens with a compliance slogan and the organization name or logo. Everybody loves a freebie, and if the budget permits, these items can increase awareness and foster cooperation.
Staff buy-in will correlate directly with the organization’s ability to foster an environment of trust. As emphasized earlier, accepting the non-retaliation policy as nothing short of gospel will be the best way to ensure active staff participation. Rewarding and thanking those who come forward to do the right thing will provide immediate positive feedback to staff and reap long-term rewards for the compliance program overall. The Federal Sentencing Guidelines suggests offering incentives to those who follow the compliance and ethics program.
Management up to and including the board of directors must also be willing to make a financial commitment to compliance. Remember, compliance is not cheap. Staffing and space cost money, and most health care organizations have limited, even diminishing resources. While the level of commitment is not necessarily correlated directly with the resources (human and financial) allocated, a reasonable budget must be developed in consultation with the Compliance Officer. An organization unwilling to commit the necessary resources isn’t demonstrating support for the compliance program—and unquestionably and unfortunately— that message too will filter down through the organization.
Budget of Compliance Departments by Size of Organization
|TOTAL NUMBER OF EMPLOYEES|
|Annual Budget||Total respondents||999 or less||1,000 to 4,999||5,000 to 9,999||10,000 or more|
|less than $100,000||169||33.4%||118||53.9%||37||24.5%||5||9.6%||9||10.7%|
|$100,000 to $249,999||88||17.4%||53||24.2%||29||19.2%||3||5.8%||3||3.6%|
|$250,000 to $499,999||81||16.0%||28||12.8%||39||25.8%||8||15.4%||6||7.1%|
|$500,000 to $999,999||69||13.6%||12||5.5%||25||16.6%||19||36.5%||13||15.5%|
|$1 million or more||99||19.6%||8||3.7%||21||13.9%||17||32.7%||53||63.1%|
|Shaded boxes show highest number of respondents for each size of organization.|
Knowing what to do won’t make it happen. The reality is, you can’t do it without financial resources. But how much is enough? The right amount will depend on the organization, its size and scope of compliance responsibilities. Remember, the compliance program must influence everyone in the organization; adequate funding will go a long way to demonstrating and eliciting commitment. This is a good place to mention again that the only thing worse than having no policies is having them and not following them. Underfunding can be one source of such a situation. If investigated, a compliance program’s value in any settlement will depend largely on the government’s interpretation of the organization’s commitment to good corporate citizenship. In fact, “a compliance program that has neither the moral nor the budgetary support of senior management may actually be deemed as tacit approval for the inappropriate activities.”
Both external and internal risks and the controls to manage those risks factor into a budget. An identified risk area may require immediate attention and hence extra expense, perhaps specialized training or a new computer software program. Bear in mind that certain internal factors can impact, directly or indirectly, the compliance budget. For instance, if your organization has a high turnover rate, the compliance budget will need to provide for training the flow of new employees as well as the existing staff. A highly decentralized operation may call for either a centralization compliance process or additional monitoring to ensure procedures are consistent or at least consistently enforced. Other factors that can impact the compliance budget are poor communications infrastructure, poor data processing controls and compensation structures that emphasize financial performance with no compliance considerations. These might include misaligned incentives, which influence cultural norms and encourage action without regard to compliance.
Organization size, setting, and culture will influence how the compliance department is staffed. In small organizations the Compliance Officer role may not be full time, but rather a fraction of a full-time equivalent (FTE) position. In a large organization the compliance department will be much more extensive with a full-time Compliance Officer. According to aggregated data in the 2015 Health Care Chief Compliance Officers Salary Survey, 41% of responding organizations have two-to-five employees in the compliance department, and 24% have six or more.
For an organization able to consider more than one full-time employee, there are a variety of staffing possibilities. Because so much of compliance is education, an education coordinator can make a vital contribution to a program’s effort. Other valuable positions include someone to accumulate and analyze compliance data and auditors who can regularly review and help with documentation to identify trends and analyze them. Administrative support may also be necessary.
For larger organizations considering staffing needs, it should be noted that every facility or location should have a compliance designate or compliance field liaison. A remote site clinic may not need a full-time Compliance Officer because the corporate or central site has such a position. But even “part-time” compliance personnel need appropriate training and resources, such as a binder of relevant information, on-site. Employees at the remote sites must be educated as well. Be sure to budget accordingly. In addition, auditing and monitoring takes resources and subject matter experts. These may need to be outsourced due to lack of internal resources, so this is an area that can also impact budgets.
There are other operational expenses to consider, beginning with some sort of reporting method. Hotlines can be handled internally or externally; the costs of each option will need to be assessed. Outsourcing may be more economically feasible for many organizations. When looking for outside help, check references and make sure they have the same compliance philosophy that your organization does. It may be worthwhile to request outside proposals before you make a final decision. There’s nothing to lose in finding out what outsourcing can do for you.
Educational materials can be a considerable compliance expense. There are several methods that can be utilized. Web-based training can be effective, especially in large organizations. There are many vendors who can help design a Web-based program for your organization. A video program produced by your organization for general sessions and new employee orientation can be helpful. Even so, a video customized to your organization can be very expensive, but there are “off the shelf” videos that may well meet your needs. You will also need to provide for specialized training for physicians as well as the coding and billing departments. Such training can be offered by a qualified internal individual, or can be provided through outside consultant specialists and hence will have budget implications. In-house and ongoing training may require audio-visual equipment and software to create engaging visual materials. There will be costs for printing announcements, agendas, and handouts. Costs for printing the code of conduct and policies and procedures can be a surprisingly large number. And while the code of conduct doesn’t need to look like the annual report from a Fortune 500 company, this isn’t a document to skimp on either. Find the right look and feel for your organization—just remember to budget accordingly.
Internet access today is a must. All relevant government documents are available online as are innumerable other helpful compliance-related sites. Adequate computer support is critical.
Professional journals and newsletters are vital ways of keeping abreast of new developments, best practices, and industry trends. They will also provide articles, suggestions and ideas that can be circulated to appropriate managers or adapted for internal newsletters. Consider budgeting each year for compliance resources so you can gradually build a compliance library that will be a resource for the compliance department, the compliance committee, and the organization. Also, membership in a professional organization such as the Health Care Compliance Association is a good investment. Belonging to a professional organization such as HCCA reinforces your professional standing and provides you with a growing network of invaluable resources.
Finally, if your organization has an in-house counsel, consult with him or her to determine budgetary needs. If you currently rely on external counsel, you may want to alert the firm of your new or expanding compliance program and solicit estimates for additional costs. Such expenses may be part of the legal budget but it is best to be sure they are appropriately covered somewhere. The compliance professional may also want to consider his or her own independent legal resource for consulting with, which will have budget implications as well.
Six Tips for Saving on Future Costs of Compliance
Embed quality into existing processes—If processes that pose the greatest risk to the organization are revisited with an emphasis on quality, then the outcome of this exercise will be increased efficiency, increased customer satisfaction and better, less expensive compliance.
Centralize common processes and controls—Decentralized processes can lead to redundancy and inadequate oversight as well as extra expense.
Improve human resources infrastructures—Corporate culture is established by effective communication; communication is critical to training; training leads to compliance; compliance must be woven into the fabric of corporate culture. Turnover is the ‘smart bomb’ that disrupts the circle.
Improve information system processes—It is important and cost effective to embed compliance into technology through controls such as edit checks and reports that facilitate ongoing monitoring. Technology investments can save on some of the labor costs.
Emphasize training—The best way to correct an error is to prevent its occurrence.
Monitor marketing and compensation—Review marketing materials to be certain the message is consistent with corporate philosophy; new business ventures should be evaluated for risk and the ability of the organization to manage the risk; compensation structures should embed measurable compliance objectives.
Develop a Code of Conduct
When you roll out your compliance program to staff will depend on many factors. Certainly the sooner you can enlist staff participation the better. And you need not have everything absolutely final before you officially launch the compliance program companywide. However, you do need to have the code of conduct ready.
How the code of conduct is written can vary. The code of conduct is usually drafted by the Compliance Officer and then shared with the Board, compliance committee and management for input. By obtaining their input it helps to garner commitment. You may also want to have your compliance committee help to develop the code of conduct. In drafting the code the Compliance Officer can review sample Codes from other organizations. However, it is not advisable to “lift” a code of conduct from another source, make minor tweaks, and try to make it fit your organization. Your code of conduct should reflect your organization’s spirit, tone, and culture. If it doesn’t ring true to staff, securing their participation and cooperation in the compliance program will be much more difficult.
There may not be a “one size fits all” code of conduct but there are certain elements that every code should include. Most codes of conduct begin with the official Board resolution approving the compliance program or the memo announcing the launch of the program. The code should begin with this strong endorsement from the highest levels of management. An endorsement signed by the board chairman or the CEO makes the message personal and says “you have my word on it.” This executive message is the place to state unequivocally that everyone in the organization and all affiliates are expected to act in an ethical manner and abide by all applicable laws and regulations affecting the organization. A strong message in support of staff is also in order. The code of conduct provides guidelines and tools developed to help employees in situations created by today’s confusing and complex health care environment. Staff honesty is not the issue. When a situation poses uncertainty, the code of conduct provides guidance for appropriate conduct or, in more challenging situations, offers the way to get answers within the organization.
The code of conduct might be seen as an elaboration on the organization’s mission or vision, both of which deserve a highly visible place in the code of conduct. Many organizations have identified specific values that help accomplish the mission. If your organization has values in addition to the mission, these too should be prominently featured in the code of conduct.
As a resource for all staff and affiliates, the code of conduct should also include a detailed outline of procedures for handling questions about compliance or ethical issues, beginning with a description of chain of command. The best reporting mechanism is an open door. When a question arises, it is hoped the employee will feel comfortable in approaching his or her supervisor, the first link in the chain of command. In the event that the employee and the supervisor cannot resolve the issue, usually the department manager is the next step. If discussions with the supervisor and department manager are not satisfactory, the Compliance Officer should be consulted unless it is an HR issue, then it would go to HR. These steps should be delineated in the code of conduct along with a clearly stated promise of non-retaliation.
However, every employee will not be comfortable talking to management so there are alternate methods of reporting potential problems or posing questions. The code of conduct should provide a clear, concise explanation of how those alternate reporting methods work. For instance, list the hotline (or helpline) telephone number along with hours of operation. In this context, emphasize that all calls will be anonymous or held in complete confidence. To the extent possible, it will help to outline the procedures for how the organization will respond to reports or questions. Can you promise that the compliance department will investigate all reports or will handle every complaint equally and consistently, i.e., all get triaged, managed to resolution, etc.? Can you promise that all compliance-related questions or allegations, whether received through chain of command, the hotline, or other reporting mechanism, will be investigated within 48 hours? Such specifics are important to include but will be reassuring to staff only if there is evidence that this is occurring and is sustainable.
As a key element of an effective compliance program, every code of conduct will want to include a description of the compliance program along with names of all compliance office personnel and members of the compliance committee. Add pictures, phone numbers and e-mail addresses for all key contact personnel.
The narrative section of the code of conduct can deal with a wide variety of issues. For instance, high risk areas can be addressed in scenario based examples. You may cover general areas such as: conflicts of interest, Stark Law, gifts and gratuities, etc. Areas of specific weakness or risk should be addressed in the code, depending on the organizational setting. Most importantly, the code must emphasize zero tolerance for fraud or abuse, a commitment to submitting accurate and timely billing, and compliance with all laws and regulations. Consequences of malicious or uncorrected wrongdoing should be noted, with a description of the progressive discipline procedures, if appropriate. Also, clearly state that everyone has a personal obligation to report any possible wrongdoing. Not reporting makes an employee subject to discipline as well.
The code of conduct holds the potential to be an abstract document, one that might not seem relevant to the day-to-day work of the individual. Therefore, many organizations add a “sample question” or “examples of compliance violations” section. A mixture of the general and specific is suggested. The examples should be inherent to your organization. Sample general questions might be:
I think I saw someone accept a gift card from a vendor.
Who should I contact?
Should I report a possible problem even if I’m not sure?
Will I get in trouble?
What if my supervisor asks me to do something I think is wrong?
How can I be sure my report will be kept confidential?
If a physician asks me to code something I know is wrong should I just do it?
Finally, most codes of conduct come with an acknowledgement or attestation form. The attestation form, requiring the employee signature, emphasizes the importance of the document and could provide certain legal advantages should there ever be a government inquiry. Attestations should be completed on an annual basis as a standard of practice. Annual attestations are required in most Corporate Integrity Agreements. To encourage the employee to return the attestation form promptly, some organizations will require a signed attestation form before new employees can be assigned perquisites such as parking space. Attestation forms should be filed in the employee’s official human resources file. The compliance department may want to maintain copies. It is also acceptable to have electronic attestations.
Identify Staffing Needs
The Compliance Officer, as noted earlier, is the “focal point” of the compliance program. Education certifications and degrees are important considerations in selecting a Compliance Officer, but more importantly, the position must be filled by someone who will be trusted and well respected within the organization. Background or experience must also be factored in. The Compliance Officer should have some background in health care administration. The HCCA 2006 Profile of Health Care Compliance Officer survey asked about the management level of the Compliance Officer and received these responses: 56% indicated the Compliance Officer was part of senior management, 25% indicated middle management, 15% indicated officer of the company and 5% identified another role.
All compliance department staff should have job descriptions. If need be, the Compliance Officer should develop his or her own job description and have it approved by the Board (See Appendix D, Sample Job Descriptions for Compliance Officers). Job descriptions for additional department staff should include a detailed list of duties and responsibilities and, to the extent possible, measurable expectations. For an educational coordinator, for example, you might want to require an annual educational plan due by a specific date. An auditor might be expected to review a certain number of risk areas in the annual plan or a certain number of charts every month. Job descriptions may need to be modified and adapted as time goes by and as compliance requirements change. Regular employee input to the job description, perhaps in preparation for an annual performance review, will keep the document relevant.
Whatever the size and scope of the organization, all compliance department staff should have certain characteristics. The compliance department is an outreach department so “good people skills” are vital. There will also be daily interaction with a wide variety of personality types. The ability to stay unflappable will be an asset to someone working in compliance. Moreover, compliance has a lot to do with change and, in general, people don’t like change. Therefore the compliance staff must, from time to time, be able to deal with unhappy, dissatisfied staff—especially when delivering difficult news that may mean more work. Strong communication and listening skills will be critical. Discretion is also required. A good sense of humor helps, too. As you interview, probe for these qualities. If you don’t find them, keep looking at other candidates. Once you have hired staff members, foster these qualities in your staff and provide feedback and guidance in performance reviews.
Most compliance officers would agree that a sizeable majority of compliance activities are related to education and training. Therefore, an education coordinator must be high on the list of early hires. As noted earlier, education is the first and best line of defense in compliance. An educated employee will be less likely to engage in an act of noncompliance and, knowing the organization’s commitment to compliance, will be much more likely to come forward if there is a question or concern about potential noncompliance. Having someone to focus on education can make for more effective educational programs and allow the Compliance Officer to coordinate the big picture. A training coordinator should have a strong background in health care and solid experience in adult learning strategies. Computer skills are needed not only for developing presentations but also for preparing and adapting education materials for the different populations being educated, e.g., staff, physicians, third parties, senior leaders, board members. Organizational skills are important; just keeping track of attendance can be a daunting task. Here, too, strong people skills are important.
Monitoring and auditing helps to ensure that the organization remains vigilant in its compliance efforts. Having someone on staff to coordinate these efforts will ensure that regular review happens and that it is objective, documented, reported, and analyzed. In this position, many areas of risk may be audited or monitored so a background in health care is critical, as is subject matter expertise in key risk areas such as billing, coding, contracts, etc. If there is one area specifically that the auditor will review, you will want to assure they have the appropriate certifications for this subject matter expertise, i.e., a certified professional coder (Ex. CPC, CCS, RHIA). The Compliance Officer could also work with the coding department and Human Resources to be sure competent coders are hired, especially today when hiring good people for any position seems to get harder and harder. For instance, consider administering a brief, simple test to applicants of perhaps 10 questions on coding utilizing the CPT4, HCPCS, and ICD-10 books. A candidate who cannot answer basic questions on such a test does not belong in the organization’s coding or medical record auditing department. The first step toward prevention is to check competency up front. (Work closely with HR on any candidate testing to be sure requirements for consistent administration of the test to all applicants is considered.)
The compliance committee composition is also important. As noted earlier, the OIG encourages representation from a variety of departments within the organization, including operations, finance, auditing, human resources, utilization review, social work, discharge planning, medicine, coding and legal, as well as employees and managers of key operating units. To the extent you are able to influence the composition of the compliance committee, look for individuals who are respected leaders within the organization and who will be strong champions for compliance. Be sure there is good representation among physicians on the compliance committee (See Gain Support and Commitment earlier in this chapter).
The organization’s legal counsel must work closely with the compliance department. Developing a relationship between the two departments is critical. Communication should be open and frequent. To keep informed of ongoing compliance issues—and to identify any legal “red flags”—legal counsel should be an active member of the compliance committee. The Compliance Officer and legal counsel may want to meet regularly and separately from the compliance committee meetings. If in-house legal counsel is not available, outside counsel should be kept informed via regular written reports such as compliance committee minutes or periodic face-to-face meetings with verbal status reports.
Conduct Risk Assessment
After the compliance program infrastructure is in place, i.e., compliance budget and staffing, the first step in launching an effective compliance program is to do a risk assessment. This is done with management through a variety of ways, such as document review, staff interviews, industry variables review, etc. The purpose of a risk assessment is to identify risks in the organization, analyze those risks against controls in place, prioritize those risks, and develop plans of action to address the risks prioritized. Reports on those prioritized risks and the monitoring of the risk areas by compliance will assure risk mitigation or resolution can occur.
There is not one way to do a risk assessment unless a regulatory body mandates the approach, e.g., SEC (COSO model for controls). The risk assessment becomes the basis for the focus of the education and auditing and monitoring plans for the compliance activities. Risk priorities are reviewed with management regularly and re-evaluated periodically to assure these are the most important areas of compliance risks for the organization. The prioritized risks will be dynamic to the organization’s needs and will be adapted if higher priority risks are identified.
The first place to start is by reviewing any previous problem areas. Those issues identified by the OIG in its various model compliance programs must be considered, but it is just as important to include individualized risk areas as well. Check for and review any previous audits, investigative reports, or evaluations such as Joint Commission or accreditation survey reports. In addition, a look at existing policies will help determine any potential vulnerability. Are the policies and procedures appropriate? Are they being followed? A review of actual practices related to those procedures, as well as to government regulation, is also in order. It is important that the baseline audit should also analyze current education and training practices. Whatever the audit findings, staff will need to be educated on any changes resulting from the audit as well as implementation of the compliance program. If there is weakness in the education program, it must be addressed early on.
The OIG Work Plan, all OIG model compliance guidances, OIG fraud alerts, and audit reports, among others, are helpful resources in identifying risk. (The OIG website has all these resources and more: www.oig.hhs.gov.) Trade and professional associations also provide information on current issues and emerging trends, which can include potential risk areas for consideration in developing the baseline audit agenda. Sample risks that may be identified in your risk assessment include:
No controls in a business process
New regulations, systems, products or leadership
No policies, guidance or standards in a specific area
A need for education or policy revision
Billing, documentation and/or coding issues
Third party relationships
After developing the list of risks, the next steps would include analyzing and evaluating the risks and the management controls in place related to those risks. Prioritizing would be a further next step. There are many different ways to prioritize; two of the most common methods are ranking each risk with high, medium and low, or ranking the risk as to its likelihood of occurring and impact to the organization. There are many other ranking variables which could be used; e.g., velocity, how well managed are the risks, vulnerabilities.
Once the risks are prioritized, management develops mitigation plans for the identified risks. The compliance professional’s role is to facilitate completing the mitigation plans with management. After the assessment is finalized the compliance professional’s role is monitoring the mitigation plans to help ensure risks are mitigated.
The risk assessment prioritization list can be the starting point for developing the compliance plan for auditing, monitoring and education. It will serve as the “benchmark” to which future risks can be compared. The risk assessment outcomes should be discussed with executive management to identify any unexplored issues or concerns prior to preparation of a final report. The goal is a complete, accurate, and realistic report that addresses the needs of the organization. The risk list is dynamic and reviewed periodically to assess if there are new risks for consideration and whether management is completing their mitigation plans.
Develop Mission and Goals
Once the compliance staff is in place, it must function as a team toward a common goal. Building that sense of camaraderie within the compliance department is critical before you can begin building a compliance program throughout the organization. One way to build that camaraderie is to conduct an annual retreat for the compliance personnel. As always, the culture of the organization as well as logistical issues must be considered. But when possible, an off-site retreat can be invigorating, motivating, and enormously productive. Off-site sessions are preferred only to eliminate, or at least minimize, the distractions of telephone calls, meetings, and “quick questions” from staff. The first retreat should be dedicated to drafting a mission statement for the department, a mission statement consistent with the organization’s mission statement. It is important for everyone in the compliance department to understand that fit and to be reading from the same page.
Sample Compliance Department Mission Statement
Courtesy of the Office of Compliance, University of Louisville Health Sciences Center
To strive to provide the highest quality of education and monitoring to assure integrity in the ethical and legal aspects of medical billing compliance for the University of Louisville Health Sciences Center and promote community awareness.
The retreat agenda should also look at goals for the upcoming year (which need not be a calendar year) and review progress toward current year goals. Be sure to identify a realistic number of goals and assure that they are achievable and measurable. Not all goals will be measured quantitatively. But when discussing goals at the retreat, explore with staff how success will be measured. Goals need not be directly tied to specific problems, but the retreat does provide an opportunity for staff to discuss openly any problems or concerns.
Sample Compliance Department Annual Goals
To provide a positive compliance experience.
To maintain clear lines of communication with key personnel throughout the organization.
To provide diverse educational opportunities to meet the demands of the organization and its community.
To provide subject matter experts that can be a resource to the organization and the community.
To establish a compliance reference library.
To elevate awareness and increase participation regarding compliance issues throughout the organization.
To collaborate with risk partners.
To maintain an open-door policy fostering confidentiality and trustworthiness.
To respond to complaints in a timely way and assure issues are mitigated.
The more active a role that staff takes in developing the mission statement, especially the goals, the more they will feel “ownership” of them and the more likely they will be to succeed.
However goals are determined, it is important that they be effectively and regularly communicated to the department staff. Discussing and measuring progress along the way, with updates at regular staff meetings, will contribute significantly toward progress. Assigning a department “liaison” for each goal can also contribute to ownership and stimulate progress. A department retreat will help communicate goals to staff. However, should any goals come to the department from executive management, these should be communicated and incorporated into tracking and measuring practices.
An annual compliance report should be developed. The compliance department will provide a detailed annual compliance status report to the Board and the organization’s executive management. An annual report is a different document, one meant for the board as well as all staff. The Compliance Annual Report is an opportunity to communicate your mission and goals to the organization. It is also an opportunity to talk about the organization’s compliance success stories, thereby reinforcing positive images of compliance and fostering support and demonstrating the effectiveness of the program. Thanking compliance champions, and those who came forward to identify problems, provides positive reinforcement throughout the organization. The all-staff Compliance Annual Report need not be glitzy and expensive. The point is to get the word out and to build support. Use the data that you’ve gathered and show your enthusiasm. It can be contagious.
Once a compliance program is up and running, it needs the “care and feeding” of ongoing evaluation. Getting a handle on regular review can be difficult, indeed it can be as daunting as getting started. For this process, consider the PDCA approach: Plan—Do—Check—Act, a tried and true quality management technique.
Plan—Look to your compliance program. Meet with the compliance committee to discuss and document current position and possible next steps.
Do—Take baby steps. Make preliminary attempts at next steps with full knowledge that there may be some false steps along the way.
Check—Review lessons learned. Gather the take-home lessons for those preliminary attempts.
Act—With your compliance committee, decide how to incorporate what you’ve learned with what you still need to do.
The first two years of the compliance program are usually focused on establishing and refining the infrastructure. Keep your expectations realistic. Compliance programs are always evolving, depending on internal and external variables. Compliance efforts are an ongoing process. PDCA can keep it flowing.