Benjamin D. Bresnick (Benjamin.firstname.lastname@example.org) is a Senior Director, Healthcare Compliance Group at Ankura in Chicago, IL.
For those of us who refer to ourselves as compliance professionals and work toward the creation, maintenance, and enhancement of compliance programs that conform to the Health and Human Services Office of Inspector General’s (OIG’s) seven elements of an effective compliance program, it is sometimes easy to slip into a mind-set where the development of the program becomes almost prescribed. Sometimes, the task of implementing and overseeing the program seems almost rote. As a chief compliance officer, I recall taking periodic inventories to confirm that my team was still meeting all seven elements and that we were confident that we were apprised of new risks and new changes in the regulatory environment.
The continuous task of assessing new risks, testing controls, and auditing is both necessary and valuable to effective compliance program management, but I continually believed and believe to this day that an effective compliance program offers more than just the seven elements. Put another way, an effective compliance program is worth more than the sum of its parts.
In a time when many of our employers, clients, or customers are going through great change in terms of shifts away from fee-for-service remuneration to models based upon shared risk, or as previously independent organizations merge, it became apparent (to me) that there was an opportunity for compliance programs to not only be the support system that ensures the laws, rules, and policies are being followed, but these programs can also provide a strategic and competitive advantage for organizations in these paradigm shifts. In many cases, these advantages do not represent any major additional work; instead, these advantages come from focusing on work product and existing information in different ways.
The following is a brief and cursory list of ways the output of an effective compliance program can be a strategic advantage to an organization. This list is by no means exhaustive, but rather should be viewed as a starting point for further thought and discussion.
Get dirty with the data
Someone in your organization is the keeper of data. This person may be in quality, finance, decision support, business planning, strategy, or some other department, but someone has access to all the data in your organization and knows how to use it to make meaningful reports. This is the person I lovingly refer to as the data guru. I recommend you identify this guru and go have lunch with him/her and ask what data and databases this person knows well. First off, as a compliance professional, you should make sure that corporate data is well protected, just like with protected health information (PHI). Just because the data may not fall directly under Health Insurance Portability and Accountability Act (HIPAA) regulations, it does not mean that it cannot benefit from the same control treatments and testing you place around your PHI. It is important to ask if the data is encrypted at rest or in transport, if the data is stored only on a central server, whether anything is downloaded to desktops or laptops, and who has access to it, among other important questions.
After you understand the security protocol around the use and disclosure of the data, I recommend transitioning into a discussion about data sharing. Ask what sort of relationships this person has noticed between otherwise disparate data elements. Does anything look out of place, and are there opportunities for improvement that are being missed? My goal in this step is to try and determine if data that is being captured as part of normal operations can be used or deployed in another manner without adding additional work.
Swim in multiple data lanes
As a compliance professional, you are well positioned to explore how the data gathered throughout your organization can add value by considering previously overlooked connections. Consider a hospital that has best-in-class systems for capturing information technology (IT) tickets, occurrence reports, compliance reports, financial performance, and human resources (HR)/payroll in addition to a top-tier electronic health record. Although these systems capture important information, they all have different data owners and are typically used for different business purposes. Your goal in this phase is to make connections between the data streams these applications generate in order to add a strategic advantage.
For example, can your data guru help construct an export from the pharmacy’s automated medication dispensing system and compare that report with the HR system that records when employees clock in and clock out? If a nurse takes a narcotic before clocking in for a shift or after clocking out for a shift, the data indicate that is a sign of possible drug diversion activity. Would it be helpful to know if a particular caregiver is regularly pulling medications (narcotics or otherwise) before they clock in or after they clock out?
What about combining occurrence reporting regarding patient falls with the timekeeping system or IT tickets? Can you identify a relationship between certain staffing levels or shift changes that are associated with a higher incident of falls? What if a computer application is down or the printer isn’t working? Is there a relationship between IT tickets that may be keeping caregivers away from direct patient care and increased falls?
The key here is to think outside of the box and look for relationships that may not have been considered before. As you will notice above, I am careful not to state that you are finding a causal relationship. The goal is to find what statisticians call a correlation or a mutual dependence of variables. Our purpose is not necessarily to determine if A caused B or if B caused A; we are simply trying to look at existing data and see if two or more elements move together and, if so, should we take a closer look? In fact, it would be a statistical error to conclude that we have causation. Think of these findings as analogous to a smoke detector. If the smoke detector starts beeping, you are going to react, but that does not mean that there is an actual fire. Maybe the smoke detector is warning you that the battery is dying, or maybe that roast in the oven has just moved slightly past well-done. There may be an actual fire, but just because the smoke detector is chirping is not definitive proof of a fire.
My recommendation is to find these correlations and then use them as a prompt to investigate deeper. I caution against running to your superior with matter-of-fact proof of an issue, lest you end up making a claim based upon a spurious correlation. For clarity purposes, an example of a spurious correlation is the divorce rate in Maine having a greater than 99% correlation with the per capita consumption of margarine. Although true, the relationship is probably nothing more than coincidence and could be quickly dismissed with very little investigation.
Once you have located interesting correlations, you should make note of these relationships and use them as indicators and advance warning mechanisms for the risk you are looking to control or better understand. For example, if you are trying to monitor drug diversion risk, one of the warning signs of diversion behavior is a person who regularly picks up extra shifts or volunteers for overtime. Once you are aware of that correlation, it is not difficult to have your HR team create automatic variance reports that show the people who continually pick up extra shifts or hours. Armed with this HR information, a compliance professional can work with pharmacy leadership to see if any of the people indicated on the HR reports are outliers on the dispensing reports as well. This is great insight that may have been missed if you or your team were not looking at the data from all different points of the organization.
Learn to speak finance
We are all aware (or at least should be) that having the compliance officer report to the chief financial officer (CFO) is an arrangement the OIG frowns upon. However, just because the reporting structure is proscribed, that does not give the compliance team carte blanche to be ignorant of what goes on in the finance department.
In my professional experience, I have noted that some compliance professionals have a comfort level with billing and coding, but many of the other financial functions are enigmatic. To transition to a holistic view of compliance, it makes sense to understand what financial metrics matter the most to the CFO, chief executive officer (CEO), and the board of directors, and then understand what these metrics mean and how they are calculated.
I do not suggest that compliance professionals must become expert financial analysts, but it stands to reason that if the C-suite is concerned with metrics such as days of cash on hand, return on invested capital, realization rate, or debt coverage, these are data points that are likely to drive executive decision making. As a compliance professional, if you have a reasonable understanding of how these metrics are calculated and what inputs are used to calculate said metrics, you can help spot opportunities for improvement as well as areas where the control environment is weak, and that could lead to something the compliance officer needs to be aware of. Further, if your organization is a not-for-profit organization and has issued municipal bonds as a way of raising capital, some of these financial metrics are often included in the bond covenants and, therefore, must be complied with as a condition of the bond issuance. As such, monitoring these metrics may be part of monitoring compliance with the tax-free status.