1 University of California, San Diego University of California San Diego Governance Overview and Compliance Activities Audit & Management Advisory Services Regents Committee on Compliance and Audit Health Sciences Activities in Compliance Kathleen Naughton: UCSD Health Sciences Chief Compliance & Privacy Officer Stephanie Burke: UCSD Asst. Vice Chancellor for Audit & Management Advisory Services January 20, 2011
2 UCSD Governance Organizational Structure 2010 Regents of the University of California Shared Governance Responsibility President of the University of California Academic Senate of the University of California General Counsel Treasurer Chief Compliance and Audit Officer Secretary UCSD Compliance, Audit, Risk and Ethics Committee UCSD Chancellor Senior VC Academic Affairs VC for Research VC Marine Sciences VC Student Affairs VC Resource Mgnt & Planning VC External and Business Affairs VC Health Sciences and Dean SOM UCSD Academic Senate Standing Committees (23) Other Appointed Committees (5) 2
3 ComplianceAuditRiskEthics Compelling Agenda for Committee Transparency Risk Management Accountability Themes for Committee Audit Issues Compliance and Monitoring Risk Assessment Research Oversight Communication and Training Sub Committees Health Sciences Compliance Information Privacy and Security Student, Staff and Faculty Ethics UCSD Governance and Accountability Structure
4 UCSD Audit, Compliance and Line Management Responsibilities Auditing Controls: Controls performed outside of the line management structure by representatives of the governance function on a sample basis through a risk assessment process to assess the overall existence and effectiveness of the entire internal control environment. Focused Reviews (Audit Resp) Oversight Controls (Compliance Responsibility) Monitoring Controls (Supervisory Responsibility) Oversight Controls: Controls performed on a frequent and regular basis outside of a process but generally within the UCSD line management hierarchy by middle or senior managers and their representatives to gauge the effectiveness of operating and monitoring controls. In selected high risk cases such as health sciences billing, controls are performed by an organizationally separate compliance function. Monitoring Controls: Controls performed within the process or immediately after the process by first line supervisors or representatives to insure operating controls are working effectively. Operating Controls (Employee Responsibility - Controls Embedded in Processes) Operating Controls: Controls embedded in the process and which are provided by employees in the process to insure that process objectives are achieved. 4
5 UCSD Enterprise Risk Management Overview UCSD Decentralized Environment Risk Management Responsibility Risk Assessment Activity and Coordination Senior VC Academic Affairs VC for Research VC Marine Sciences VC Student Affairs UCSD Chancellor Research Compliance UC Systemwide Chief Compliance & Audit Officer UCOP CFO Enterprise Risk Management Initiative Information Security and Privacy Function VC Resource Management & Planning VC External and Business Affairs VC Health Sciences and Dean School of Medicine EH&S Audit & Management Advisory Services UCSD Compliance, Audit, Risk and Ethics Committee (CARE) Campus Risk Management Health Sciences Corporate Compliance Health Sciences Risk Management Health Science related 5
6 University of California, San Diego University of California San Diego Health Sciences Compliance Program Report Audit & Management Advisory Services Regents Committee on Compliance and Audit
7 Outline Organization Key Program Components Education initiatives Monitoring focus areas External government audit activity Work Plan 7
8 UC San Diego Health Sciences Compliance Program Dean for Clinical Affairs Thomas McAfee, MD Physician Advisor Compliance & Privacy Lee Giddings, MD VC Health Sciences David Brenner, MD Chief Compliance & Privacy Officer Kathleen Naughton Executive Compliance Advisory Group UC Board of Regents SVP Compliance & Audit UC Systemwide UCSD Compliance, Audit, Risk & Ethics Committee CARE (Campus) HS Compliance, Privacy & Enterprise Risk Management Committee (HSCP-ERM) Corporate Compliance Program Manager Privacy Program Manager Research Compliance Program Director Advisory Groups Privacy Security Advisory Board Research Compliance Advisory Committee Clinical Data Access Taskforce 8 Rev.: Dec-2010
9 Key Program Components Corporate Compliance, Privacy & Research Compliance Programs 1. Oversight 2. Policies, standards, code of conduct 3. Education * 4. Communication, hot line 5. Monitoring * 6. Enforcement * 7. Response, prevention initiatives * Education, monitoring & enforcement have the most impact. Incorporates the Federal Sentencing Guidelines 7 key elements for effective compliance programs. 9
10 Education Initiatives FY2011 Compliance Program New employee orientation includes compliance / HIPAA New clinical provider compliance training Annual coder training (8 hours), webinars Monthly newsletter, topic specific billing guides Privacy Program HIPAA training (annually) Posters: Information Security Awareness Monthly newsletter, topic specific training modules Research Compliance Program Training program for research staff Monthly newsletter, posters, brochures 10
11 Program Focus Areas Work Plan Risk assessments (annually) Monitoring & Reporting to Leadership (examples) Billing: profiles, coding vs. documentation reviews, complaints Privacy: electronic activity (surveillance of user access) Clinical trials: risk assessments, compliance with standards COI: outside professional activity reports (APM-025) Enforcement & Prevention Methods Refund over-payments, suspend billing Implement corrective action plans Change processes, update policies Provide training on procedures, offer continuing education Apply sanctions in accordance with UC personnel policies 11
12 External Government Audits FY2010 Compliance Program Medicare Recovery Audit Contractors (RAC) Medicaid Integrity Program Audits (MIP) Office for Inspector General (OIG), self-audit(s) Health Care Reform initiatives / ARRA Due to increased government funding to fight fraud and abuse, audit activity will continue to rise. Expect scrutiny over the use of ARRA stimulus funds. Privacy Program CDPH investigations: reported breaches (licensed facility): 17 Fines for serious breaches: 0 Fines for untimely reports: 0 Breach notifications are required to CDPH and the consumer within 5 business days. Fines for late reports: $100/day/name Large scale incidents (>500): 0 12
13 Compliance Work Plan FY2011 Compliance Program Monitor billing claims to ensure accuracy Scheduled reviews, investigate billing complaints Assure that overpayments are refunded within 60-days (PPACA law) Use government audit activity to assess controls Monitor annual reports of outside professional activity (APM-025) Participate in UC systemwide education initiatives ICD10: New diagnosis coding structure, effective 2013 Clinical research billing: Clarification of complex rules Privacy Program Monitor user activity (electronic surveillance) Investigate complaints Update privacy policies & education modules (HITECH laws) Promote privacy / information security (access control, encryption) * Example of the compliance work plan, partial list 13
14 University of California, San Diego Audit and Compliance COI Risk Mitigation Information Item - Appendix University of California San Diego Audit & Management Advisory Services Regents Committee on Compliance and Audit
15 COI Risk Overview Key risk areas for faculty and institutions: Conflict of Interest and Conflict of Commitment Federal and state laws governing conflict of interest, conflict of commitment, disclosure of financial interests for research and medical compensation are relatively complex. Changing environment: Federal regulations in this area are becoming more stringent and government funding for anti-fraud initiatives is on the rise. The appearance of a conflict can undermine public trust, even in situations where mitigating factors are made known to the public. The consequences of failure can adversely impact research, funding, and result in individual faculty penalties, fines, and license restrictions. Risk area to the institution: Resources & Decentralized Processes Current campus and departmental systems for tracking disclosures of financial interests are manual, cumbersome and decentralized.
16 COI Changing Regulations New financial conflict of interest (FCOI) rules were proposed in the May 21, 2010 federal register in order to reduce conflict of interest in research. The proposed regulations would: Require Public Health Service (PHS) funded investigators to disclose to their institutions all Significant Financial Interests (SFIs) related to their institutional responsibilities. This would move the responsibility for determining if an investigator's SFI are related to his/her PHS-supported research from the investigator to the institution. Lower the monetary threshold at which interests require disclosure, generally from $10,000 to $5,000. Require institutions to provide the PHS Awarding component (e.g., NIH) significant additional information on identified FCOI and how they are being managed. Require every PHS-funded institution to post, on a publicly accessible website, information on certain SFIs that the institution has determined are related to PHS-funded research and constitute FCOI.
17 COI Changing Regulations Patient Protection Affordable Care Act of 2010 (PPACA) includes a Physician Payment Sunshine Act Provision: Prevents conflict of interests and insures transparency of information for patients by requiring all drug companies, device, and medical supply manufacturers to fully disclose to HHS and any gifts or payments made to physicians, as well as any other financial relationships that they may have with doctors, physician practices or physician groups. Data is to be reported to the federal government electronically to ensure public availability of the data in an easily searchable format on a website. Details: Data recording begins January 1, 2012 and reporting start to the federal government begins as early as March Device, drug, medical supply, and biologic companies must report information related to the nature of the payments and other transfers of value to physicians and hospitals for values of $10 or more (or for $100 total in a calendar year). This bill will pre-empt state laws that are similar or weaker than this provision, but will not pre-empt more restrictive laws.
18 COI Risk Mitigation: Policy Requirements Risks Conflict of Interest (COI) & Conflict of Commitment Risk Reduction Submit: Calif. 700-U form (Conflict of Interest) for IRB research studies & service agreements with industry Report: Outside Professional Time (APM-025) Comply with Health Science department s good standing criteria HS Compensation Plan (APM-670, Outside Professional Income) Report: Time / Effort research grants (Federal Regulation: OMB Circular A-21, J.10) Adhere to UC s policies and procedures for COI and health care vendor relationships
19 UCSD COI Risk Mitigation: Focused Reviews AMAS Review of Conflict of Commitment Policy (2007) Limited instances of non-compliance with policy Dean/departmental responsibilities for disclosures not clear Greater coordination and information exchange between COI and Academic Personnel needed to monitor disclosures AMAS Review of Health Sciences Research Conflict of Interest (2009) Disclosure form submission process was paper-based and complex Greater coordination and information exchange between COI, Human Subjects and Contracts & Grants needed to monitor disclosures AMAS Consultation on Disclosures for Non-Faculty Appointments Over 50% (2010) Employment contract clarifications needed Current Systemwide Audit (in Process)
20 UCSD Risk Mitigation: Oversight and Monitoring Education Initiatives Health Sciences Compliance Program Purpose: Prevent, detect, and correct violations Support the health science mission quality patient care, teaching and research Demonstrate a commitment to making ethical decisions in an organizational culture that values compliance and promotes awareness of duty to report concerns without fear of retaliation. COI education points: Avoid participating in, influencing, or making a decision that benefits your financial interest Duty to disclose, recuse, divest, and/or seek advice Flexible, scalable approach to education / training: Use staff meetings, the learning management system, webinars, newsletters, posters, web resources, , policy and guidance documents
21 UCSD COI Risk Mitigation: Oversight and Monitoring UC San Diego Health Sciences Compliance Program The Compliance Program ensures that Health Sciences faculty and other workforce members adhere to the myriad of regulatory requirements associated with UC s mission of teaching, research and patient care. Compliance Advisory Group: Reviews all conflict of commitment disclosures (Category 1 and 2) and advises the VC-Health Sciences. Category 1 requires approval from the Vice- Chancellor and Chancellor. Issued a revised APM-025 form, Reporting of Outside Professional Activities, with assistance from UC counsel (FY11). UC San Diego Health Sciences Vice Chancellor s Office The Vice Chancellor s Office implemented the revised APM-025 form which combines required disclosures for time and income associated with outside professional activities by SOM faculty members. This form incorporates some anticipated changes in federal disclosure levels.
22 UCSD COI Risk Mitigation: Oversight and Monitoring Health Sciences: School of Medicine Dean s Office established good standing criteria which requires that departments have transparent implementing procedures for salary negotiation; and that faculty comply with the Health Sciences Code of Conduct and the annual reporting of outside professional activities in order to earn and directly retain income from such activities. The Compliance Program monitors faculty reports for compliance with APM025 policy. Office of Continuing Medical Education (OCME) requires speakers to disclose financial interests.
23 COI Risk Mitigation: System & Operational Improvements Planned Development of a systemwide real-time on-line user-friendly system for disclosure of financial interests and tracking of research COI disclosures Efforts are underway to develop campus-wide support for such a system. UCSD had dedicated a full time programmer to the Kuali-Coeus COI initiative, which is now gaining support from multiple campuses. Expansion of the list of designated officials required to annually disclose financial interests to include Health Science department chairs, division chiefs and chief administrative officers.
24 Conclusion Laws and regulations that govern conflict of interest, health care and research conduct are complicated, and penalties for not following these regulations are severe. Audit and Compliance Program staff provide oversight, auditing and monitoring resources for managing areas of risk.