Risk Assessment

Compliance Program Structural Risk Assessment

By Barb Senters, CCEP, PHR

CREATED FOR ILLUSTRATION ONLY

A compliance program “best practice” is to conduct periodic risk assessments, both structural and substantive. The structural component includes the framework necessary to build and operate an effective compliance program, including the Office of Inspector General (OIG) necessary elements of a compliance program and the U.S. Sentencing Guidelines. The substantive component relates to the specific body of substantive law (e.g., Medicare, Medicaid, Anti-Kickback Statute, Stark Law, Privacy Rule). Please maintain documentation of this completed assessment in your files.

Instructions:

  • For each element, please rate the current strength using a 1–5 scale, with 1 being ad hoc, poorly organized, and reactive, a score of 3 being implemented and defined in policy, and a score of 5 being fully mature, optimized, and integrated into the organization.

  • Mark yes or no to indicate if the element exists.

  • For each “yes” answer, please provide the basis for your scoring, including documentation if available.

Effective Date: _______________

Description

Current Strength Rating

Yes

No

N/A

Explanation of “Yes,” including documentation references

Note/Action

Element 1: Written Policies and Procedures

1.0

An assessment of key risks that could affect the organization has been conducted.

1.01

Policies address issues identified in guidance documents (e.g., OIG, fraud alerts, corporate integrity agreements) or enforcement actions by the OIG and other government agencies with applicable legal requirements.

1.02

Policies address previously identified serious weaknesses in its practices (e.g., audits, investigations, exit interviews).

1.03

Policies describe how the organization’s compliance program operates and the consequences of noncompliance.

1.04

A code of conduct has been distributed to all employees, and a signed acknowledgement is tracked and maintained.

1.05

Policies include the duty to report and reporting outlets.

1.06

A process is in place to promptly address and rectify employee noncompliance.

1.07

Policies and procedures are periodically reviewed and are updated to reflect changes in laws, regulations, or processes.

1.08

Policies and procedures are reviewed at regular intervals.

1.09

Does a written policy provide guidance to employees on how potential compliance problems are investigated and resolved?

1.1

Compliance policies and procedures are distributed to employees upon hire.

Element 2: Education and Training

2.0

Is training and education provided to all employees, contractors, temps, etc. on expectations of the compliance program and potential compliance issues?

2.01

Is training and education provided to all governing directors about the expectations of the compliance program and potential compliance issues?

2.02

Does training include the compliance program overview, including reporting mechanisms and the commitment to nonretaliation?

2.03

Does education include a description of key substantive laws and regulations that affect the employee’s job?

2.04

Does the training include consequences of violations of the various laws that may be imposed on individuals and the company?

2.05

Is the timeliness of employee training for new hires tracked and measured?

2.06

Are new employees/contractors required to take compliance training as part of orientation?

2.07

Is new compliance training provided to all employees annually?

2.08

Have high-risk groups been identified and receive three hours of compliance training throughout the year?

2.09

The compliance officer can retrieve documentation that proves policies, procedures, and the code of conduct were distributed and received (for example, an acknowledgement).

2.1

Training records are maintained for 10 years. (Employee files are audited by compliance.)

Element 3: Open Lines of Communication

3.00

Does the culture encourage open communication without fear of retaliation?

3.01

Do employees know the kind of things that should be reported as a potential compliance concern? Are they reinforced in formal compliance training and locally?

3.02

Is an anonymous hotline or similar mechanism in place so that staff, patients, visitors, contractors, and clinical staff can report potential compliance concerns?

3.03

Is the hotline publicized well? Are the type of calls tracked and logged (to establish patterns), and is the caller informed of the company’s actions?

3.04

Is the compliance committee actively engaged in pursuing appropriate remedies to institutional or recurring problems?

3.05

Is there an alternative communication method such as a periodic newsletter or compliance website for the compliance department to inform employees on regulatory updates and/or changes in the program?

Element 4: Internal Monitoring and Auditing

4.0

Is the audit plan reevaluated annually, and does it address proper areas of concern, such as previous years’ audits, risk areas identified as part of the risk assessment, high-volume services, comparable external investigations, etc.?

4.01

Does the audit plan include an assessment of billing systems in addition to claims accuracy in an effort to identify the root cause of billing errors?

4.02

Have the error rates been identified and tracked in the audits and patterns detected/mitigated?

4.03

Does the audit include a review of all billing documentation, including clinical documentation in support of the claim?

4.04

Are quality complaints from patients, payers, employees, etc. centralized and investigated to detect patterns of concern?

Element 5: Response to Detected Deficiencies

5.01

Are disciplinary standards enforced consistently across the organization?

5.02

Is each instance involving the enforcement of disciplinary standards thoroughly documented?

5.03

Are all matters thoroughly and promptly investigated?

5.05

When a detected deficiency results in an identified overpayment, is it disclosed to the proper law enforcement agency?

5.06

Are periodic reviews of problem areas conducted to verify that the corrective action that was implemented successfully eliminated existing deficiencies?

Element 6: Designation of a Compliance Officer and Compliance Committee

6.0

Does the compliance officer report directly to the CEO and/or board of directors?

6.01

Does the compliance department have a clear, well-crafted mission?

6.02

Does the compliance officer have sufficient authority to implement the compliance program? Do they have sufficient resources necessary to perform assessments and respond appropriately to misconduct?

6.03

Have compliance-related responsibilities been assigned across the organization, and are employees held accountable for meeting them in performance reviews?

6.04

Is there an active compliance committee composed of trained representatives of each relevant functional department as senior management?

6.05

Does the compliance officer have direct access to the governing body, the president, or CEO?

6.06

Does the compliance officer have independent authority to retain outside legal counsel?

6.07

Does the compliance officer make regular reports to the board of directors and other managers concerning the compliance program effectiveness?

6.08

The board of directors is knowledgeable about the content and operation of the compliance program.

6.09

The compliance officer is independent from other duties that could constitute a conflict of interest (chief financial officer, CEO, billing, general counsel).

6.1

The compliance officer cannot be terminated without board of director approval as stated in the charter.

Element 7: Enforcement of Disciplinary Standards

7.0

Are disciplinary standards well publicized and readily available to all employees?

7.1

Are disciplinary standards enforced consistently across the company?

7.2

Is each instance involving the enforcement of disciplinary standards thoroughly documented?

7.3

Are employees, contractors, and clinical staff checked routinely against government sanctions lists, including the OIG’s List of Excluded Individuals/Entities and the General Services Administration’s Excluded Parties List System?

This document is only available to subscribers. Please log in or purchase access.