Lions and Tigers and Bears (Oh My!)

Transcription

1 Lions and Tigers and Bears (Oh My!) The Measurement Beasts: Compliance Risk Assessments Effectiveness Evaluations, and Audits HCCA West Coast Conference, Newport Beach, CA June 18, 2010 Jeffrey A. Nagel, PhD, CHC Chief of Staff/Chief Compliance Officer County of Orange, Health Care Agency Margaret Hambleton, MBA, CPHRM, CHH Sr. Vice President, Chief Compliance Officer St. Joseph Health System

2 About us Jeff Nagel County of Orange Health Care Agency Margaret Hambleton St. Joseph Health System

3 We re Not in Kansas Any More

4 Objectives Developing a road map for compliance measurement tools: Identification, measurement, scope and resources Reducing risk exposure Demonstrating return on investment and securing management buy-in

5 Where is the yellow brick road? Understand where you are going, what do you need to get there, ensure management support and buy-in A well planned path is a key to arriving at A well planned path is a key to arriving at your intended destination.

6 Risk Assessment Eighth element of an effective compliance program Government guidance Federal Sentencing Guidelines Organizations shall periodically assess the risk of criminal conduct and shall take appropriate steps OIG Program Guidance Institutions should consider conducting risk assessments to determine where to devote audit resources

7 Definitions Risks Observable events or conditions that may occur and, if they do occur, would have a harmful effect. The impact of a risk should be measurable or definable in specific observable terms (i.e. financial, legal, reputational, etc.) Inherent Risk The risk of an event occurring without consideration for internal controls Residual Risk The risk that remains after considering current controls

8 Definitions Risk Identification The process by which the universe of risks is identified Audits Literature Enforcement/regulatory Impressions of individuals engaged in the process Risk Assessment The process by which identified risks are evaluated and prioritized

9 Definitions Risk Tolerance The amount/type of risk the organization is willing accept Cultural considerations the organizations mission and values Strategic considerations Capacity considerations

10 Why Conduct a Risk Assessment Proactive versus reactive Supports enterprise risk management Cultural integration Raises awareness of program value Mitigation of penalties Continuous program improvement Basis for annual work plan Identifies needed resources

11 Building a Risk Assessment Program Leadership Identifying risks Establishing risk tolerance Buy-in to structure, methods, and mitigation plans

12 Building a Risk Assessment Program Alignment PI s and support personnel Business office Management Staying current with requirements Staying current with requirements Tools and Resources Simple or complex Accountability

13 The risk assessment process Board Communicate Risk Identification Evaluate Monitor Broad Focus on all types of Risks Risk Assessment Controls Assessment Control Activities Establish Priorities Develop Work Plans

14 Risk Identification Surveys Interviews Prior audit findings Prior compliance investigations Exit Interviews with separating employees External sources

15 Risk Identification Human Resources Finance HIM External Risk Services Compliance Admin. Operations HIPAA

16 Risk Identification Exposures now and in the next 3-5 years Key process or functions Key strategic initiatives Complex studies, processes or functions with Complex studies, processes or functions with multiple stakeholders, hand-offs, control, and authority

17 Risk Identification Open ended surveys or interviews Rely on the expertise of the individual being surveyed Supports a wide range of potential risks Can be difficult to adequately define and compare risks One-on-one interviews allow for additional probing

18 Risk Identification Risk ranking Pre-defined listing of potential risks Surveys readily available in the market Quick and easy for participants Be aware this is not a true risk assessment (although it may be sold as one) Be careful not to confuse controls with risks

19 Risk Identification Controls vs. Risks Controls: Policies, procedures, audits, education, management approvals, quality reviews, automation, program structure, etc. Examples: Does the organization have a policy on conflict of interest? Does the organization update the standards of conduct periodically? Are Compliance Committee minutes reviewed? Are procedures in place to identify and address billing misconduct? Who is responsible for monitoring and enforcing adherence to these policies?

20 Risk Assessment Impact (Severity) Financial Legal Reputation Operations Strategic Vulnerability Likelihood/Frequency/History Complexity Rate of Change Controls

21 Assessment Tools Risk Map Gap Analysis Risk Prioritization Scoring

22 Simple Risk Map High D M A E 12 K Impact 10 8 J L I 6 B C Low 4 2 F G H Low Vulnerability High

23 Complex Risk Map

24 Gap Analysis Management Effectiveness Inherent Risk Conflicts Enrollment Billing Sponsor Agreements Time & Effort Reporting PI Agreements Adverse Event Reporting

25 Risk Prioritization Score (RPS) Risk Prioritization Scoring Mission Financial Legal Risk Impact Likelihood Complexity Vunerability Controls Topic Risk Risk Risk Risk Risk Risk Comments

26 Risk Impact Severity measure Define scoring terms in very specific terms Numeric scoring High Low Example: High=Loss or additional expense greater than 1% of gross revenue (financial impact)

27 Vulnerability Scoring Consider without controls to understand the inherent risk Specific definition of terms (scores) Vulnerability may include: Likelihood of failure History of failure Rate of change Complexity of process Detectibality of failure

28 Evaluating the Control Environments Extent of variation Routine review or audit of process Human factors Standard work Communication, hand-offs, redundancy, work around, reliance on memory, etc.

29 Risk Tolerance Continuum ranging from total avoidance of risk to total acceptance Tied to mission and organizational governance and leadership Understand that you probably can not address all risks identified

30 Risk Mitigation Identifying and prioritizing risks creates risk if nothing will be done with the information Audits are not corrective action! Develop work plan monitor effectiveness of plan Understand the root cause Resources available

31 Work Plan Development Involve stakeholders Communicate Monitoring and ongoing periodic assessment Re-evaluate and reprioritize at next risk Re-evaluate and reprioritize at next risk assessment

32 Importance of Auditing and Monitoring One of the seven elements of a comprehensive compliance program based on the OIG Compliance Program Guidance Assists organizations in determining their strengths / weaknesses / risks Can also assist in determining whether the appropriate resources are in place throughout the organization Provides ongoing assurance to management that high-risk areas are operating in accordance with organizational policies and procedures Or highlights the areas that are not Can demonstrate compliance program effectiveness Difference between auditing and monitoring

33 Compliance Auditing Resources Internal vs. external resources Compliance auditors should have a minimum level of technical competence related to area of audit Certified coders CPAs JDs Ongoing training and education should be mandatory On-the-job training can be invaluable Internal Audit and the Compliance function S.W.A.T. team to respond to urgent situations Engaging outside specialists when necessary Conducting compliance audit under attorney-client privilege

34 Selecting Compliance Audits Utilizing a risk-based approach Organization-wide risk assessment Specific risk areas Ongoing significant risk areas Consider approach based on an annual planning process Address risks related to new or revised regulatory requirements As part of the determination of compliance program effectiveness, perform a compliance audit of whether the seven elements have been met / exceeded

35 Auditing Basics Develop your audit plan Areas in which you need to assess controls New services New rules, policies and/or procedures Areas in which you need to evaluate how effective corrective action plans have been Complex and problem prone areas Surveillance Areas with key staff turnover

36 Conducting a Compliance Audit Planning the audit Performing the audit Preparing the audit report Operationalizing the findings and results from the audit

37 Planning the Audit Define the audit scope Prepare a detailed audit workplan Identify appropriate resources for the audit Determine the timing of when the audit will take place as well as how long it will take to conduct the audit Validate audit scope and timing with appropriate contact Proceed to performing the audit Consider privilege options

38 Planning the Audit Understand the issue What are the rules, external guidance? What are your policies? Who is involved in the process? What are the process steps? What records document the process/service and how/where are they maintained?

39 Planning the Audit Define the Audit Scope What is the goal of the audit? What resources are available? What are the components of the process and which will you review (i.e. physician transaction review may include how need for service is determined, how agreements are negotiated, how contracts are established, how performance is measured, how services are documented, etc.) Watch out for scope creep

40 Performing the Audit Conduct entrance / kick-off meeting Discuss audit coordination, scope, workplan & timing Conduct audit based on previously developed workplan Maintain audit workpaper / documentation file Prepare workpapers documenting work performed using standardized workpaper format Quality Assurance (QA) review should be conducted by Manager / Supervisor level Review notes / comments should be provided for follow-up Findings should be documented, supported by audit evidence and provided to audit contact prior to finalizing Other audit issues Conducting interviews, Sampling, Extrapolating sample results, Unresolved items

41 Preparing an Audit Report An audit report should be prepared that clearly summarizes significant findings and other issues that may come to the auditor s attention during the audit Audit findings should be supported by documentation Other issues that may require further review should be identified and it should be clearly noted that no conclusions can be drawn Standardized audit report format should be utilized Exit meeting should be conducted with audit contact person, their manager / supervisor, and other appropriate interested parties Clear, unbiased, documented findings should be presented Recommendations for improvement in processes, etc. or to eliminate compliance gaps should be presented

42 Operationalizing the Findings Audit report and specific findings should be shared with all interested / affected parties with the goal of improving future performance and eliminating compliance exposures Ownership of compliance issues needs to be determined Team leader identified to implement recommendations Time frame for implementation should be agreed to Team leader charged to implement recommendations Champion identified for support Follow-up meeting should be scheduled for status update Follow-up audit or limited review should be performed to determine whether findings and recommendations were effectively implemented Can reflect on compliance program effectiveness

43 Effectiveness Evaluation Why measure effectiveness? US Sentencing Guidelines OIG Guidance and Supplemental Compliance Program Guidance American Health Lawyers Association and OIG Resource documents Corporate Integrity Agreements

44 Effectiveness Evaluations What do you measure? Seven elements (plus risk assessment) Authority Policy and Procedures (including Standards of Conduct) Training and Education Reporting Auditing and Monitoring Response and Prevention Enforcement Risk Assessment and Work Plan Development

45 Barriers to Effectiveness Compliance Officer Lack of authority to enforce standards, policies and procedures Lack of support by Board or Executive Management Inadequate skills to perform the essential functions of the job Lack of resources or commitment from employer

46 Barriers to Effectiveness Code of Conduct / Policies and Procedures Well written policies or Code that is not available to workforce Well written policies that are not enforced A poorly written Code or policies that are out-ofdate, are not specific to organization, are inaccurate

47 Barriers to Effectiveness Training and Education Inaccurate training materials Limited access to training Poor quality of training (e.g., dull, technical, too long) Poor quality of delivery of training (e.g., unqualified trainers, boring narration) Limited variation in training

48 Barriers to Effectiveness Open lines of Communication Lack of culture of openness Lack of awareness of mechanisms to report violations Lack of anonymous reporting mechanism Actual or perceived fear of retaliation Limited action on reported issues

49 Barriers to Effectiveness Disciplinary Guidelines Poorly communicated guidelines Preferential or limited enforcement of guidelines Lack of progressive discipline

50 Barriers to Effectiveness Auditing and Monitoring Lack of an auditing and monitoring schedule based on organizational risks Limited resources to perform function Auditors not trained well Lack of independence/objectivity or conflict of interest of the auditors

51 Barriers to Effectiveness Responding to Offenses Lack of thoroughness of investigations Response is not timely No corrective action taken Limited follow up by compliance program Lack of monitoring of corrective actions

52 Tools for Measuring Effectiveness HCCA Resource Document: Evaluating and Improving a Compliance Program: A Resource for Health Care Board Members, Health Care Executives and Compliance Officers Available on home page of HCCA website:

53 Effectiveness Evaluation How do you measure effectiveness? Issue to be Scored Description Score Score Basis Comments 1.00 Annual Risk Assessment and Evaluation 1.01 Has an annual compliance risk assessment been performed by the SJHS Compliance Department in the last two years in order to identify the relevant compliance risk areas? 1.02 Have the results of the prior year compliance risk assessment been communicated to the Board and other stakeholders? Formal mechanism exists to evaluate organizational compliance risks. Process for evaluation is documented, the assessment is completed in accordance with established process, and communicated to the Board and other stakeholders. Documentation in the form of minutes, memoranda or other documentation reflect that the risk assessment is communicated to the Board and other stakeholders along with sufficient detail for the Board to evaluate the adequacy of the assessment and to prioritize resources based on identified risks Was a compliance effectiveness evaluation developed in the last year by the SJHS Compliance Department to identify opportunities to improve the effectiveness of the SJHS Ministry Integrity Program? Formal mechanism exists to evaluate compliance program effectiveness. Process for evaluation is documented and the assessment is completed in accordance with established process Does the compliance office communicate the results of prior annual compliance effectiveness evaluations to the Board and other stakeholders? Documentation in the form of minutes, memoranda or other documentation reflect that the effectiveness assessment is communicated to the Board and other stakeholders along with sufficient detail for the Board to evaluate the effectiveness of the compliance program and determine program improvements necessary to improve effectiveness.

54 Tools for Measuring Effectiveness OIG Supplemental CPG for Hospitals: Developed a monitoring tool based on supplemental guidance Benchmarked status of program against new standards

55 FACTORS COMPLIANCE OFFICER AND COMMITTEE YES NO COMMENTS Does the compliance program have a clear, well-crafted mission? Does the compliance program have sufficient resources (staff/budget), training, authority and autonomy to carry out its mission? Is the relationship between the compliance function and general counsel function appropriate to achieve the purpose of each? Is there an active compliance committee, comprised of trained representatives of each relevant function department as well as senior management? Are ad hoc groups or task forces assigned to carry out special missions, such as conducting an investigation or evaluating a proposed enhancement to the compliance program? Does the compliance officer have direct access to the governing body, the Director, all senior management, and legal counsel?

56 Effectiveness Evaluation How do you measure effectiveness?

57 Other Methods of Measurement Employee Surveys Interviews or Focus Groups Document Reviews Benchmarking against providers Denial Management Existing Measures Compliance Training Quizzes

58 Ethics Resource Center National Business Ethics Survey 2009

59 National Business Ethics Survey 2009 Sixth in a longitudinal survey of U.S. Workplaces starting in report polled 3,010 employees in business, government and nonprofit sectors (separate reports for each sector) Provides national benchmark on organizational ethics Tracks the views of employees at all levels within organizations

60 National Business Ethics Survey 2007 Reported misconduct at work is down from 2007, but is still high at 49% More employees are reporting what they observe up to 63% (from 58 % in 2007) Ethical Cultures are stronger an increase to 62% (from 53% in 2007)

61 National Business Ethics Survey 2009 Perceived retaliation as a result of reporting misconduct is up. About one quarter of respondents agreed that the recession has negatively impacted the ethical culture in their organization. Organizations with weak-leaning cultures report more misconduct.

62 COUNTY OF ORANGE HEALTH CARE AGENCY 2007 COMPLIANCE PROGRAM SURVEY Please select the most appropriate answer to the following statements Agree Agree Disagree Disagree Completely Somewhat Somewhat Completely 1 I understand the purpose of a Compliance Program My management team supports the goals and objectives of the Compliance Program and the Code of Conduct. The Code of Conduct is clear and easy to understand. I am aware of the policies & procedures related to my job.

63 C O U N T Y O F O R A N G E H E A L T H C A R E A G E N C Y C O M P L IA N C E P R O G R A M S U R V E Y P lea se sele c t th e m o st a p p ro p ria te a n sw er to th e fo llo w in g sta te m e n ts A g re e A g ree D isa g ree D isa g re e C o m p letely S o m ew h a t S o m ew h a t C o m p le tely 5 If a c o m p lian c e c on c ern c o m es to m y a tten tion, I w o u ld rep o rt it to a su p erv iso r/m an a g er, th e O ffic e o f C o m p lian c e, o r o th er ap p ro p riate a rea. 6 If a c o m p lian c e c on c ern c o m es to m y a tten tion, I w o u ld b e c o m fo rtab le rep o rtin g it to : M y S u p erv iso r/m a n a g er T h e O ffic e o f C o m p lian c e H C A H u m a n R eso u rc es O th er (e.g. S a fety O ffic er, In tern a l A u d it) 7 F ea r o f reta lia tion w o u ld p rev en t m e fro m rep o rtin g a c o m p lia n c e p ro b lem. 8 T h e C o m p lian c e P ro g ra m h a s a ffec ted th e w a y I p erfo rm m y d a y-to -d a y resp o n sib ilities.

64 C O U N T Y O F O R A N G E H E A L T H C A R E A G E N C Y C O M P L I A N C E P R O G R A M S U R V E Y Y e s N o 9 I a m f a m ilia r w ith th e H C A C o m p lia n c e P r o g ra m. 1 0 I h a v e c o n s u lte d o r re f e r re d to th e C o d e o f C o n d u c t. 1 1 I k n o w w h e r e to lo c a te H C A p o lic ie s a n d p ro c e d u r e s. 1 2 I k n o w th e n a m e o f th e C h ie f C o m p lia n c e O f fic e r. 1 3 I k n o w h o w to c o n ta c t th e C h ie f C o m p lia n c e O f fic e r. 1 4 I a m a w a re o f th e E m p lo y e e C o m p lia n c e H o tlin e a n d h o w to a c c e s s it.

65 C O U N T Y O F O R A N G E H E A L T H C A R E A G E N C Y C O M P L I A N C E P R O G R A M S U R V E Y I a m a w a r e o f t h e C o m p li a n c e P r o g r a m w e b s i t e o n th e In t r a n e t. I a m a w a r e o f t h e H IP A A w e b s i t e o n t h e In t r a n e t I h a v e a c c e s s e d th e C o m p li a n c e P r o g r a m w e b s i t e o n th e In t r a n e t. Y e s N o 1 8 I h a v e a c c e s s e d th e H IP A A w e b s i t e o n th e In t r a n e t a 1 9 b I h a v e o b s e r v e d w o r k p la c e b e h a v i o r th a t I f e lt v i o la t e d th e C o d e o f C o n d u c t. If y e s, d id y o u r e p o r t th e v i o la t i o n t o a n y o n e? P le a s e t e ll u s w h y y o u d id n o t r e p o r t th e o b s e r v e d v i o la t i o n.

66 C O U N T Y O F O R A N G E H E A L T H C A R E A G E N C Y C O M P L I A N C E P R O G R A M S U R V E Y 2 0 A s s i g n e d S e r v i c e A r e a A d m i n ( i n c l u d e s I T, Q M a n d H R ) B e h a v io r a l H e a lt h F i n & A d m S v c s ( i n c l H C A / A c c t g. ) M e d ic a l & I n s t. H e a lt h P u b l ic H e a lt h S v c s R e g u la t o r y H e a l t h A r e y o u S u p e r v i s o r y / M a n a g e m e n t? Y e a r s w i t h H C A o r H C A A c c o u n t i n g Y e s N o L e s s t h a n 1 y e a r 1-2 y e a r s 3-5 y e a r s y e a r s 1 0 o r m o r e y e a r s 2 3 P l e a s e p r o v i d e a d d i t i o n a l c o m m e n t s o r s u g g e s t io n s y o u m a y h a v e r e g a r d i n g t h e C o m p l i a n c e P r o g r a m :

67 Board Oversight Excerpt from Interview with James G. Sheehan, New York State Medicaid Inspector General full text available at Five reasons board members should be concerned: Right thing to do Fiduciary and legal duty Specific reporting requirements State requirements Board members can face personal exposure

68 Interview Continued Board role to be educated Board can be held responsible for neglecting their duty of oversight The biggest problem with oversight is failing The biggest problem with oversight is failing to ask the tough questions, failing to require and review compliance metrics, and failing to require education for the board and senior managers

69 Reporting Measurement Activities Provides board education Understand risk position Strategic alignment Required as part of oversight duty Sufficiency of budget and resources

70 Closing the Loop Communicate findings with governance and key stakeholders Communicating status and effectiveness of actions Metrics Process v. outcomes

71 Lessons Learned Know the resources you have to commit for both the evaluation processes, corrective action, and work plan Start small and build Continuous effectiveness are you addressing the most important risks? Countrywide example

72 Lessons Learned from Oz If I only had a brain Planning and developing a road map is the best way of reaching your destination, but anticipate a few obstacles on your path If I only had a heart Establish and maintain key relationships to help you be successful If I only had courage Courage is developed, not innate, and grows based upon the confidence that success brings

73

74 Questions?