Cornelia M. Dorfschmid (cdorfschmid@strategicm.com) is Executive Vice President, Strategic Management Services, LLC.
One reason for an increased or renewed interest in root cause analysis (RCA) in the compliance community may be due to the recently updated U.S. Department of Justice (DOJ) guidance entitled Evaluation of Corporate Compliance Programs.[1] In the guidance revision issued June 2020, the DOJ states: “To determine whether a company’s compliance program is working effectively at the time of a charging decision or resolution, prosecutors should consider whether the program evolved over time to address existing and changing compliance risks. Prosecutors should also consider whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.” DOJ further states that “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.” DOJ would assess effective compliance programs with respect to the organization’s internal investigations and emphasizes RCA importance in the response to investigations: “Have the company’s investigations been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory managers and senior executives? What has been the process for responding to investigative findings? How high up in the company do investigative findings go?”
Clearly, RCA is an integral part of an effective auditing and monitoring element of the compliance program and the techniques related to the audit and investigation processes, as has been raised in the U.S. Department of Health & Human Services Office of Inspector General (OIG) and Health Care Compliance Association’s (HCCA) Measuring Compliance Program Effectiveness: A Resource Guide[2] to measure compliance program effectiveness. The guide was issued in March 2017 as an outcome of an HCCA-OIG Compliance Effectiveness Roundtable. It points out the depth of and breadth of RCA and proper integration into corrective action plans as part of effectiveness criteria.
Not surprisingly, conducting an RCA may also be considered by internal review organizations that conduct claims, arrangements reviews to assess systemic error patterns, or be required in corporate integrity agreements with quality-of-service–, patient safety–, or software systems–related reviews of entities that settled with the government and are subject to external monitoring or review. In the context of corporate integrity agreements or integrity agreements, the independent reviewer typically needs to report the reasons for errors and patterns noted in billing and coding system(s) or report on any patterns of errors or weaknesses in arrangement systems. In corporate integrity agreements with quality control systems, quality review systems, and quality assurance program requirements that mandate reviewing, tracking, and completing root cause analyses of potential and identified issues, it is critical that such root cause analyses are actually conducted and done well. Quality-of-care incidents must be effectively reviewed and root cause analyses completed.
In certain auditing activities, RCA can also be beneficial. In process audits and systems reviews that focus on risk and internal controls, auditors typically must understand why processes do not work and why internal controls are not functioning as they should—they need to find the gaps. RCA is then especially advantageous when auditors find out that the implemented control activity or monitors do not operate effectively. In a new system deployment, or during the pre-implementation phase, an RCA can be helpful to weed out systemic weaknesses that lead to malfunction.
Healthcare is increasingly integrated through advances in health information technology. Many medical and care delivery systems talk to each other through ever more sophisticated technology; keeping internal systems well controlled through setting compliance controls will be a consideration for effective and mature compliance programs. Getting to the root causes of compliance failures or violations will likely take a multidisciplinary approach and involve all parts of a system: people, policies, technology, corporate structure, communication channels, and the like. Understanding the basis and effective use of RCA should be part of the compliance officer’s tool chest.