Table of Contents
When he meets with board members, Donald Sinko, Cleveland Clinic’s chief integrity officer, keeps laser focused on risks because that’s what they need to know about. Sometimes compliance officers are tempted to talk about everything they’re up to, but what matters to the board is strategy and whether risks are identified and mitigated.
“If people are just presenting, ‘Here is what we’re doing,’ that’s boring for board members,” Sinko says. The point is to present “actionable things. Here are issues and concerns. I have seen lots of board presentations in different organizations, and what gets presented is how great everything is. Most board members are CEOs and CFOs. They know there are issues and problems. They’re thinking, ‘What am I not hearing?’ They want to know you’re doing risk assessments and you have plans to address the things you think are potential problems. Because the board’s main focus is risk.”
The quality of the communication between compliance officers and board members has great impact on their oversight of the organization. There’s a tug of war, however, between the time board members have to devote to their clinical, financial and compliance oversight, and the overwhelming amount of material they have to consider. Some compliance officers say board members are asking more thoughtful questions because they’re receiving better education about regulations and risks, and they may speak directly to department managers about risk areas and compliance problems. But board members also may be relying more on shortcuts like consent agendas as meetings last three to five hours and materials run into the hundreds of pages.
Boards are starting to request shorter, more consolidated reports, which puts the burden on managers to select the most salient matters, says Margaret Hambleton, vice president and chief compliance officer at Dignity Health in California. “What it can start to look like is you’re intentionally trying to provide the board with information on paper that shows they are complying with their oversight responsibilities, but it’s not giving them enough information to do that effectively,” she says. “It’s not hiding information from the board exactly, but it’s not highlighting information they need to see and talk about. That’s what I worry about when everything becomes so summarized and brief or done just through consent agendas. I worry management hasn’t given them the right tools they need to do their jobs effectively.”
Consent Agendas Are a Mixed Bag
Consent agendas can be used by a committee of the board or the full board to skip discussions of items and go straight to a vote. “They’re good for saving time only if used properly” (e.g., for minutes), Sinko says. If a compliance presentation or internal audit report is on the consent agenda, he doubts the government would be happy about it. Or a consent agenda could backfire “if someone is afraid of the chair or the chair is so powerful” that other board members are afraid to speak up about an item. “But if someone wrote a report that’s informational but doesn’t need to be discussed, it could be on a consent agenda,” says Sinko, whose committees don’t use consent agendas.
With the volume of information, compliance officers have to figure out how to boil down the material for board members without their losing a sense of it. “One of the biggest challenges right now is the extent to which you provide information to the board in summarized form or in a more verbose narrative form for them to be able to ensure they have adequate information so they can evaluate whether or not the program is effective and whether management is identifying key risks and responding appropriately to key risks,” Hambleton says. Managers may get so tied up providing information that they’re not thinking critically about the questions board members should be asking to ensure they fulfill their oversight duty.
Most board members serve both on the main board and on several board committees (e.g., audit/compliance, finance, quality), which means they’re reviewing several reports. Hambleton’s compliance packet for the board includes reports on the compliance program, cybersecurity, the corporate integrity agreement, internal auditor, external auditor and general counsel—a total of about 300 pages with attachments and reference material at every meeting. When inundated, it’s hard for board members to ask managers, including compliance officers, the right questions about the information to ensure, for example, they’re comfortable with how risks are managed, Hambleton says.
“It’s a challenge to recognize when information can be summarized and aggregated and/or when you need to have a conversation to ensure the board understands the issues, trends, risks and specific vulnerabilities and engages in dialogue,” she says. Managers may get so distracted by providing information that they don’t think about how to encourage board members to ask the right questions about the effectiveness of compliance programs and their resources with a certain degree of skepticism.
Without Education, Boards Are in the Dark
What can make board interactions more productive? A more “formalized” interaction, Hambleton says. As compliance officers prepare materials for the board, Hambleton says they should be designed to elicit “generative questions,” which open the door to deeper inquiry. When you identify compliance events that have happened over the previous year, how do board members respond? Are they asking how the risks have been addressed and whether they were managed properly? Do they question whether there are events in the broader community that may affect what the organization is doing and whether compliance has adequate funding? “Think about the key things you want to discuss. If you just give them a dashboard with the number of hotline calls, it’s not meaningful in their oversight,” Hambleton says. Instead, connect the dots, with something like, “We had nine hotline calls in the past year related specifically to this concern. Here is why we think it’s an emerging trend, and we think it may be a vulnerability in the organization.” That approach led a board member to ask Dignity’s compliance department to separately track hotline calls related to accounting controls.
Because the emphasis is on educating the board about the most significant risks, Sinko has education as a standing agenda item. Sinko, who reports directly to the Cleveland Clinic board’s audit and compliance committee and is a member of its quality committee, brought the chair of the research compliance committee and research compliance manager at Cleveland Clinic to its March meeting to talk about research compliance.
The sheer volume of research at Cleveland Clinic—it has 4,000 research protocols—makes it a high compliance priority, he says. The chair of the research compliance committee and research compliance manager discussed with the audit committee the “complexities and compliance challenges” and the efforts to minimize them. He explained that research is a very decentralized activity and that “the more centralized the process is, the less risk involved.”
Not only is there confusion around billing for routine items in qualifying clinical trials (“Without Flags, Hospitals May Be Overpaid for Patients in Research,” RMC 28, no. 9), but when allegations of grant fraud land in the headlines, people may forget about all the clinical trials that proceed without a hitch. Prime example: the Department of Justice announced March 25 that Duke University agreed to pay $112.5 million to settle a false claims case over fake data in research grant applications (see briefs below).
There’s Nothing Wrong With a Little Spin
Educating board members is critical because health care is so regulated and sometimes counterintuitive. Even though they may come from other highly regulated industries, such as banking, board members may have trouble wrapping their heads around some of the constraints of operating a health care business. “The thing you generally have when you have non-health care board members is difficulty understanding the complexity of health care,” Sinko says. “We focus on processes that are generally not found in other industries.” For example, when new people join the Cleveland Clinic board, they learn that hospitals can’t reward referral sources the way other businesses can. “I tell people that most regulations make sense,” Sinko says. “When you buy new tires, you know you need them. But in health care, when you’re referred for an MRI, you have to trust that you need it.” He also explains to board members sometimes regulations don’t make sense, and the industry had to push back. For example, CMS in January said that hospitals that contract with Medicare Part C and D—first tier, downstream and related entities—no longer have to provide CMS-issued compliance and fraud and abuse training if they already have their own.
Board members only need to hear about reportable events that can be described as significant—a high probability of fraud, a privacy or security breach, a large-dollar Medicare overpayment or repayment of above fair market value compensation to physicians, says attorney Bob Wade, with Barnes & Thornburg in South Bend, Indiana.
But the facts won’t have much impact on oversight without education. “These individuals are coming into an environment where they have no idea of the risk,” he says. “The board wants to make sure the organization does everything appropriately, but if it has not been educated, then it’s somewhat in the dark. How can they ask appropriate questions?”
One CEO urged him not to scare board members about a compliance issue. The CEO wasn’t trying to sweep it under the carpet, but in health care, repayments are routine and even false claims investigations are not necessarily catastrophic, Wade says. “It is the perception the board doesn’t understand. I always say, if the board doesn’t understand, we haven’t educated the board appropriately.” By the same token, there’s nothing wrong with a little spin; “You don’t want to freak out the board,” he says. Explain the hospital repaid Medicare $1 million in a self-disclosure because of a billing error, but that it’s fairly routine. An educated board will get it.
Contact Sinko at sinkod@ccf.org, Hambleton at margaret.hambleton@dignityhealth.org and Wade at bob.wade@btlaw.com. ✧