Evaluation Processes, Investigations, and Noncompliance Responses

Question 1

What is Internal Monitoring?

Answer 1

The U.S. Sentencing Commission Guidelines Manual and OIG support auditing and internal monitoring as vital components of an effective compliance program. The joint publication by the HHS OIG and American Health Law Association—The Health Care Director’s Compliance Duties—affirms the importance of auditing and monitoring, stating that, “Monitoring and auditing provide early identification of program or operational weaknesses and may substantially reduce exposure to government or whistleblower claims.”[6] Additionally, the COSO risk management model places monitoring as one of five principal components of good risk management and control practices. COSO looks to monitoring to help ensure “that internal control continues to operate effectively.”

Auditing and internal monitoring are processes to measure program effectiveness and detect criminal conduct. While auditing is a formalized independent approach to measuring effectiveness, monitoring is not. Internal monitoring can be daily reviews of a process by an employee at any level throughout the organization, and the individual performing the monitoring does not have to be independent of the activity. Monitoring is needed to ensure controls are in place and operating effectively. Monitoring also assures accountability by steering behavior toward compliance, alerting management to potential concerns (such as a breakdown in controls so that corrective action may be taken), highlighting areas of risk within the organization, and allowing management to report on the overall effectiveness of the compliance program. The compliance department may be responsible for some monitoring activities, but the function primarily depends upon management to report internal monitoring results based on a predetermined schedule. All internal monitoring activities should be well documented. The results should be captured, and any action taken should be memorialized. It is through documentation of monitoring activities as part of the seven elements that the compliance function demonstrates program effectiveness.

Internal monitoring will assist an organization in exposing potential issues before they become a compliance risk requiring investments of time and money to determine the nature and extent of the problems. An analysis of risks within an organization should begin with a prioritized list of regulatory exposures and can be delegated by department or functional area. As previously noted, any employee within the organization can be assigned a monitoring activity depending on their subject matter expertise. Once the risks for the organization have been assessed, the auditing and monitoring plan is developed. Internal monitoring should be woven into the fabric of the organization and used to promote an ethical culture from the top down. All levels of management should be involved in monitoring activities for their assigned areas based upon the high risks within their area. Monitoring can be as simple as an employee reviewing the work of a new employee for three to six months to verify that new employee’s education is appropriately applied to the job.

Other examples of internal monitoring activities include the following:

A coding supervisor reviews five accounts per week that have been coded by a new inpatient coder to ensure appropriate application of coding rules and understanding of medical terminology.

A compliance employee monitors physician timecards for medical directorship payments to ensure all required fields are completed and the time submitted to accounts payable is within the contract limits.

A registration supervisor monitors a number of new patient registrations per week using a checklist to verify that the required acknowledgment for the Notice of Privacy Practices has been scanned and also that other required registration documents are present.

Another example of internal monitoring is establishing internal controls that alert the organization to variants in their processes. Again, an employee of the functional area can be assigned to monitor the internal controls and report on any skews or trends in the data.

It is important to note that monitoring does not replace auditing. The two are very distinct processes. The ongoing auditing of operations needs to be performed by parties independent of those operations. This will ensure objectivity in performing the audits. The audit objectives are to determine whether the monitoring program is operating as it should and that adopted policies, procedures, and internal controls are adequate and their effectiveness is validated in reducing errors and risks.

Remember, monitoring is a form of self-assessment that can be performed at any level within any healthcare organization to strengthen the culture of compliance with the policies, procedures, rules, and regulations that govern the healthcare industry.

Question 2

Why and How should you partner with stakeholders when developing and monitoring plan?

Answer 2

The best auditing and monitoring programs are also opportunities for teaching and collaborating with stakeholders. In designing a monitoring program for a process or functional area, the stakeholders whose work will be monitored should be involved from the beginning. Monitoring can take many forms, so be flexible and open to ideas. Gather stakeholder feedback on the scope (i.e., what will be monitored) and procedures (i.e., how the evaluation, documentation, and follow-up will take place). Take the opportunity to educate business partners about applicable legal, regulatory, and other requirements; the importance of compliance; and the role of monitoring in preventing problems.

Risk assessment is integral to developing a valuable monitoring program.[8] Operations staff have a critical role in defining the risks that will drive the scope of monitoring. Through these conversations, compliance staff should also seek to gain a practical understanding of the business partners’ workflow, operational needs, and day-to-day challenges. This lends important context to the monitoring program and helps compliance professionals recommend not only actionable remedies for any issues in need of correction, but also relevant strategies for quality improvement. When monitoring moves beyond finding and fixing problems and into a collaborative conversation about how to mitigate future risks and streamline business processes, everybody wins.

Before engaging in monitoring activities, let business partners know time expectations for their preparation and monitoring process. Ask them how much time they spend throughout the process, and track this information so that future estimates are based on real-life data. Demonstrating respect for business partners’ time helps set a collaborative tone from the start.

Provide the criteria to be used to evaluate compliance well before monitoring begins. If possible, have a premonitoring meeting with business partners to discuss the criteria and establish a shared understanding of how they relate to key risk areas for the organization.

Specify what compliance staff will need business partners to provide or do (e.g., documentation, observation of an event, interviews with particular individuals) to verify that each criterion is met. This makes the process transparent, streamlines preparation, and opens the door for discussion of any questions or concerns before monitoring activities begin.

Monitoring meetings conducted in person can be a great way to connect with business partners and establish solid working relationships. In advance of the monitoring meeting, let business partners know that it is a two-way exchange, and encourage them to bring compliance questions that may be unrelated to the specific monitoring activities. Encourage business partners to invite someone from their area to the meeting, as it is often the frontline employee who may be tasked with some of the monitoring activities. The frontline employee should understand the purpose of the assignment. Through words and actions, reinforce the idea that the compliance program is a partner to them with similar goals—to work as effectively and efficiently as possible while maintaining compliance. Keep the following in mind when preparing for meetings:

Schedule sufficient meeting time to allow the conversation to expand.

Point out areas of success in addition to any corrective actions needed.

Discuss long-term quality-improvement goals and ask how compliance can lend support.

Ask about any training or education needs and make a plan to address them.

Have a point-of-contact compliance professional in attendance who will be available to answer questions and follow up after the meeting.

The OIG points out that open lines of communication are a product of an organizational culture that encourages open communication without fear of retaliation.[9] Transforming an interaction like compliance monitoring (which can sometimes be viewed as intimidating or punitive) into a productive, forward-thinking dialogue can do wonders to build an organizational culture with strong relationships and free-flowing communication between compliance and the operational departments. This will help business partners feel more comfortable reaching out to compliance in the future as questions or issues emerge and before those issues become serious.

Monitoring meetings may reveal reports already used by management each day to manage operations. These reports may be used to detect issues and could be used as evidence of detective monitoring for compliance. Further discussion with business partners may reveal daily activities resulting in highlighting and correcting mistakes. The activities could be captured in a report as evidence of preventive monitoring. In all likelihood, monitoring is already occurring in the organization, and compliance may need to educate the business partner on how to capture the monitoring efforts in a format to demonstrate compliance effectiveness.

Question 3

How can Employee Interviews and Surveys be used to monitor compliance?

Answer 3

Employees are a wealth of knowledge who can help drive or supplement monitoring activities and who often enjoy participating in their organization’s improvement processes. Thus, they can offer an unexpected amount of information about an organization’s risk areas. Ask them openly about risk, their daily activities, and the processes and procedures they follow and the soundness of each. In addition to targeted interviews, periodically send out questionnaires to staff for feedback or conduct focus groups. Remember always to reassure employees that the organization maintains a strict nonretaliation policy and that employees will not be retaliated against for reporting suspected misconduct.

At performance review time, ask employees if there are any areas of potential wrongdoing or noncompliance. Pose compliance-related questions in employee exit interviews to identify potential risks. Here are some sample compliance-related exit interview questions:

Do you think the organization lives up to its code of conduct?

Did you have any concerns about ethical issues or compliance-related practices? If so, please explain.

Did you have any hesitation in raising any issues in your chain of command?

Would you go around your chain of command if there were areas you felt weren’t being addressed?

Question 4

How can training be monitored for effectiveness?

Answer 4

Training is an area that should be monitored. Effective training can help ensure compliance within the organization. Monitoring training effectiveness should be included on the monitoring plan. Although training may appear to be straightforward to most healthcare leaders, the effectiveness of follow-up is anything but clear-cut. After training is completed, the primary focus is on the individual employee’s behavior. Did the employees learn the material, and can they use it effectively in their current or future roles? If at the end of the training program there is a certification test, the goal is to have all trainees pass. If there is no official certification test, management still wants some type of assurance that employees have learned the course material and know how to apply it. How does management gain that assurance?

Effectiveness requires one to validate the results in a meaningful way to determine if employees learned the material. If they have not, technical or other assistance may be provided before the participant moves on to the next subject or more advanced training modules. Training is always done with specific objectives. Validating through measurable metrics based on specific objectives gives leaders the answers they need regarding the training’s effectiveness.

When participants do retain information from training sessions, the metrics should prompt the instructor to revise the training material or deploy a different training methodology. If the desired results are generated with other instructors, perhaps the instructor requires additional mentoring or training.

Often, organizations may provide participants with a course evaluation form when training is completed. This is an effortless way to get feedback, but it is not the best way to measure the training’s effectiveness. Some organizations have moved post-training feedback evaluations to a new level, one in which the content of the training is evaluated with an assessment as to whether the participant’s post-training knowledge is greater than pre-training knowledge.

Commonly referred to as knowledge assessment, it measures knowledge retention long beyond the “pass the test” phase—at least six months post-training. When the long-range objective is to affect behavior, passing the test, whenever it is given, does not guarantee the knowledge is going to be used by the employees when performing daily duties.

There are no set metrics used to measure an organization’s training effectiveness. What is important is that the selected metrics are meaningful, decided on prior to the training event, and monitored over set time periods. It is important for Operations, Compliance, and Human Resources to agree on the metrics and how to report them to leadership. The data alone provides little value. Its interpretation is key because it may include a root cause analysis to a known or an unknown problem or lead to improvements in both additional training programs, operations, and the overall culture of the organization.

One thing to avoid in selecting metrics is inadvertently to incentivize negative behavior. For example, it would be counterproductive to measure the increase in coding productivity without factoring in the quality of the work following a training program on new CPT (Current Procedural Terminology) or ICD-10 codes. When designed, managed, and monitored properly, metrics are a valuable tool to help determine the effectiveness of training programs. These efforts, along with partnering with stakeholders and surveying staff, lead to the development of a documented monitoring plan.

Question 5

How can a monitoring plan be developed?

Answer 5

The risk assessment process described in chapter 3 will drive an organization’s auditing and internal monitoring plan. Compliance will work with business partners to determine how best to leverage resources to manage identified risks within an acceptable level. Some monitoring will be conducted at set intervals, and some monitoring will be continuously performed. As previously noted, monitoring activities already used within business segments may simply need to be documented and routed to compliance. The size and complexity of the organization, along with careful analysis of organizational risks, will determine the types of monitoring activities necessary to effectively measure organizational compliance.

Monitoring may be conducted in a variety of ways. Self-monitoring is conducted when employees report on their own performance. Self-monitoring can be used for activities that present a low risk to the organization. Self-monitoring is conducive to a culture where negative results do not result in punitive actions. This kind of monitoring creates personal accountability, and then auditing can be used to verify self-monitoring results.

Continuous monitoring is an ongoing process that permits accurate trending of data. It highlights breakdowns in processes so that workflow adjustments can be made immediately to correct issues. It is most often an automated process.

Compliance should develop a policy and procedures for their auditing and monitoring program. The frequency of reporting results from monitoring activities by business partners should be established prior to implementation of the procedures, and consequences should be agreed upon for a business partner’s failure to report. This is when the “tone at the top” becomes vital to the success of the monitoring plan. The Association of Certified Fraud Examiners defines “tone at the top” as “the ethical atmosphere that is created in the workplace by the organization’s leadership. Whatever tone management sets will have a trickle-down effect on employees of the company.”[10] The success of any monitoring program is grounded in the support of the board and senior leadership. Senior leadership should be vocal in support of the monitoring plan and set the expectation for management’s participation in the compliance program.

The results of monitoring are not simply stored on a computer to be provided as evidence of a compliance program. The results from monitoring activities, any corrective action taken if monitoring results fall below an acceptable preestablished threshold, and the timeliness of the corrective actions should be discussed with management. Organizations must determine an acceptable accuracy threshold based upon their risk appetite—what the organization is willing to live with regarding an error rate. When monitoring results fall below the preestablished threshold, compliance should work with management to determine the corrective action that should be taken. Management owns the corrective action plan and should be responsible for the remediation deemed necessary. Management should work to implement the corrective action and report steps taken to correct the issue to compliance. Depending upon the issue monitoring reveals, the results may indicate the need for an independent audit, at which time the organization shall take reasonable steps to do the following:

Respond appropriately to any violations of the law or policies to prevent future misconduct.

Modify and improve the organization’s compliance program.

Make restitution when appropriate if criminal conduct is found.

Compliance should also develop a process to address when monitoring results exceed expectations on a continuous basis. The results may indicate a need to reduce the monitoring period (for example, moving to a quarterly report from a monthly report). This helps leverage limited resources to focus on areas of risk.

The type of activities to monitor is not only based upon a risk assessment but will also depend upon the type of healthcare organization. According to Strategic Management Services CEO Richard P. Kusserow, “Monitoring programs should be designed to test for inconsistencies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other possible breakdowns in internal controls. Monitoring techniques may include sampling protocols that permit program managers to identify and review variations from an established baseline.”

Question 6

How can monitoring efforts be reported and evaluated?

Answer 6

Once risks have been identified, a monitoring plan has been developed, and reports of monitoring efforts have been disseminated to Compliance, the compliance officer will focus on a reporting tool to capture monitoring and corrective action plans from the business units. The tool used will depend on the organization’s size. Some organizations utilize software purchased to assist in documenting auditing and monitoring results with report capability. Other organizations will use Excel to generate a scorecard and/or summary with graphs.

Documentation that should be captured on the plan includes the following:

The date of the activity and the individual(s) conducting and participating in it

A summary of the data or activities reviewed

A description of any noncompliance, potential noncompliance, data irregularities, or other identified deficiencies

A description of any actions taken, to be taken, or recommended, including the person responsible for completing actions and the anticipated date of completion

Documentation of monitoring should include sufficient detail to allow verification that the monitoring plan was followed.

Regardless of the tools used, the compliance department will determine what monitoring to report to senior leadership and the board compliance committee. The reports may vary for each group, as each group may require a differing level of detail. The compliance officer’s goal is to educate the board on monitoring efforts so that the board members are knowledgeable about risks and activities performed to manage organizational risks identified. Board minutes should reflect the compliance officer’s report on monitoring efforts within the organization and discussions held regarding specific monitoring efforts and corrective action plan. This discussion, documented in the minutes, provides evidence of board involvement in the management of the organization’s compliance program and knowledge of the risks within the organization. This reporting should be performed on a regular and timely basis.

Question 7

What is auditing?

Answer 7

Auditing is a discrete, planned event in which a focused and structured process is designed to independently evaluate a distinct area of the organization or practice. Audits help to ensure that the practice or organization remains vigilant in its compliance efforts. There are many types of audits, including internal and external audits and prospective and retrospective audits.

Question 8

What are internal audits?

Answer 8

These audits are formal reviews of compliance with a particular set of standards (for example, policies, procedures, laws, and regulations) used as base measures. Internal audits are performed by individuals who are independent of the process being audited. In other words, by individuals who do not actually work in or manage the area being studied. The idea is to concentrate attention on matters that have been causing the organization or practice problems with compliance, as indicated by the results of ongoing monitoring activity, risk assessment, or other reports, or areas that may cause the organization compliance concerns, such as issues identified by the Centers for Medicare & Medicaid Services (CMS), areas of heightened enforcement concerns as reflected in the Office of Inspector General (OIG) Work Plans, special fraud alerts, audits, CIAs, and other law enforcement initiatives.

Internal audits should focus on one aspect of the responsibilities of a department or section. If the policy is multifaceted, then detailed criteria for the audit should be itemized. It is best to keep each audit directed so that both the review and the results are manageable. An audit that attempts to accomplish too much at one time has an increased opportunity for failure. Consider conducting several smaller audits rather than one large investigation unless you have the time and workforce to complete the bigger scope.[2]

Audits may be prospective or retrospective. Prospective audits examine a system in action, as it is happening, whereas a retrospective audit looks at work that has already been done. An example of a prospective audit is a prepayment claim review in which claims are reviewed before they are submitted for payment, therefore allowing for correction if a problem exists. On the other hand, claims that have already been submitted for payment and are then selected for audit are being reviewed retrospectively (or after the fact). Retrospective audits are often used because the data is more easily obtained for sampling and the sample is usually more complete. Retrospective audits are also used to establish a baseline or reference point of the provider’s current policies and practices.

Based on the findings of an internal audit, the organization or practice may implement a corrective action plan that may alter work processes and current policies, establish measurable improvement goals, result in repayment of an overpayment, or conclude that there is not enough evidence to warrant significant changes. Internal audits provide a mechanism for preventing, or at least mitigating, problems before they create significant legal risk. Audits are an important element of an effective compliance program.

Audit findings must be documented and reported to senior management, the compliance or audit committee, and the governing body. The audit report should include findings of noncompliance and/or suspicions of misconduct and an action plan to address and resolve each potential problem, including planned follow-up actions.

If the audit identifies reportable violations, the provider should plan for voluntary disclosure to the applicable government agency. Before acting, however, the provider should contact its attorney for guidance.

Question 9

What are external audits?

Answer 9

These audits are performed by someone outside of the organization or practice, such as an independent auditor, a government contractor, the OIG, a government program, or a commercial payer. External audits will be discussed later in this article.

Question 10

Who are external auditors?

Answer 10

Because external auditors are hired by the company and not employed by it, they have no stake in the outcome of an audit and can therefore examine records without bias. They can provide important and valuable insights about the operations of the organization and share best practices based on their experience. Also, with increasing government oversight of compliance programs, an external auditor may strengthen the company practices regarding government program compliance.

External auditors may be retained to perform a variety of auditing services, including, for example, audits that pose a conflict of interest for the compliance officer or financial officer, to perform a compliance program effectiveness audit, to perform an objective coding audit, or to supplement resources.

Question 11

Who are government auditors?

Answer 11

Government auditors are authorized to investigate claims submitted by any entity or provider that provides Medicare beneficiaries with procedures, services, treatments, or equipment. Each government auditor is established independently with a different mission and scope of work. Therefore, there is no standard for the number of record requests, timeline, appeals process, or type of review.[10] The goal of most government program audits is to identify improper payments and to identify fraud and abuse. Each provider must ascertain for themselves the types of government audits that apply to their practice or organization and prepare in advance for those audits.

In addition to improper payment and fraud and abuse audits, many government agencies conduct audits of a provider’s compliance program for evidence that demonstrates program effectiveness. Failure to do so can result in an increased risk of fines and sanctions. Medicare Advantage Plans undergo intense compliance program effectiveness audits as part of a program audit. Per the CMS 2021 Program Audit Process Overview document, in the third week of fieldwork, CMS may travel to the sponsoring organization’s location for a period of four to five business days to conduct the compliance program effectiveness (CPE) portion of the audit. Otherwise, fieldwork will continue with webinars for the CPE portion of the audit. During this time, CMS evaluates the sponsoring organization’s comprehensive approach to addressing an identified issue or noted deficiency through tracer samples.[11] The “Medicare Parts C and D Program Audit Protocols, Attachment 1 CPE Audit Process and Data Request” provides an excellent roadmap to conducting a compliance program effectiveness self-audit.

Question 12

How is the audit defined?

Answer 12

Auditing is not a one-size-fits-all process. Auditing topics, scope, and methodology will vary by provider type, size, risk priority areas, and available resources. The OIG’s Compliance Program Guidance for various healthcare providers and suppliers was meant to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements.[3] These guidance documents are a must-read for anyone in healthcare compliance and audit. Provider-specific risk areas are identified and discussed, as are methodology and sample selection, best practices, and recommendations.

An important element in all compliance programs is the risk assessment (discussed in chapter 3). A thorough risk assessment should identify all known and suspected risk areas applicable to the provider, assess the probability and impact to the provider if the risk were to occur, and prioritize risks to establish a most-to-least-critical importance ranking. Those risks identified as having a high probability and high impact should be assessed for ongoing monitoring or auditing.

Common High-Risk Areas for Providers and Suppliers
Coding
Billing
Documentation
Medical necessity
Financial relationships with physicians (compliance with Stark Law)
Anti-kickback schemes
HIPAA privacy and security
Cybersecurity

Telehealth is also a high-risk area, particularly as a result of the COVID-19 public health emergency when CMS implemented a number of waivers and flexibilities that allowed Medicare beneficiaries to access a wider range of telehealth services without having to travel to a healthcare facility. This resulted in unprecedented increases in telehealth and the possibility for fraud in telemedicine. CMS and other payers will need to monitor program integrity implications and address the potential for fraud and abuse in telemedicine. Hence, there will probably be an increase in external audits of services provided by telemedicine.

Other areas to monitor closely for potential high risk include government actions—or headline-making settlements—as they are a bellwether of future audits, CMS contractor audits, and the OIG Work Plan. The OIG Work Plan lists various audits and evaluations that are underway or planned during the fiscal year and beyond.[4] The Work Plan is dynamic, and the public-facing Work Plan is updated monthly.

Monitoring activity, findings in an audit, and reports made to the compliance officer may also result in the need for a discrete audit, which may be a full audit or a smaller, focused or probe audit. The OIG states in its guidance documents that one of the most important components of a successful audit protocol is an appropriate response when the practice or facility identifies a problem. This action should be taken as soon as possible after the date the problem is identified, noting that the specific actions should depend on the circumstance of the situations. So an audit plan should remain flexible to accommodate changing risks and audit needs.

Question 13

How is an audit plan created?

Answer 13

Once the risk assessment is completed, the risks are ranked, and the mitigation strategies currently in place have been identified, sort the risks from highest to lowest. Highest risks should be prioritized for audit. Additionally, other areas may need to be considered for audit, including matters that may have been the subject of a regulatory finding, observation, or recommendation; follow-up on corrective action plans that require auditing or monitoring to confirm compliance; and any incomplete audits from the previous year. However, since most providers do not have unlimited resources, the next step is to assess the time and resources needed to audit the high-risk and other areas against current resources to determine which audits can realistically be completed with current staff and which audits may need to be performed by an independent third party. To help determine this, ask: What information will be needed for the audit? Is the needed information readily available? Who will perform the audit? How long will each audit take? Can more than one audit be conducted at the same time? Will legal counsel need to be involved in any of the audits? Will an outside consultant be required? With answers to these questions, a compliance officer can begin to map out the audit plan, bearing in mind that an audit plan is dynamic and may need to be readdressed if an urgent compliance concern presents itself during the year that requires an audit investigation.

Audit plans are typically created at the end of a calendar year for the following calendar year. Many providers schedule audits by quarter and update the audit plan quarterly. Note that if the provider is under a corporate integrity agreement (CIA), the audit plan may be dictated by the CIA. Individual audits must be planned and scheduled with sufficient resources assigned to those who are trained about the audit area, independent, objective, and free of conflicts.

Question 14

What are the phases of the audit process?

Answer 14

An audit is a methodical examination and review that follows an established audit procedure and generally requires considerable preplanning to be carried out effectively to ensure valid results. The process can be divided into four stages: planning, execution, reporting, and follow-up.

Planning Phase
The planning phase can be further divided into five distinct phases:

Determine audit subject and purpose

Define audit objectives

Define audit scope

Perform preaudit planning

Notify the area(s) being audited

1. Determine Audit Subject and Purpose
   This first step in the planning phase determines the specific area to be audited and the reason why this area is the subject of audit. The reason for the audit, for example, could be that it ranked high on the risk assessment, is being conducted as a result of a regulatory recommendation, is on the OIG Work Plan, or is part of a compliance investigation.

At this point, if you have reasonable suspicion to believe that a fraud or other irregularity may have occurred, with legal input, decide whether the audit should be implemented under the attorney-client privilege (discussed in more detail later in this article).

2. Define Audit Objectives
   Objectives should be specific to the audit being performed. For example, an audit objective might be to determine compliance with organization policy and procedures applicable to the function under review, or to determine compliance with applicable federal and state regulations that pertain to the function under review, or to verify conformity with contractual requirements. Be specific and clear about what the audit is expected to achieve.
3. Define Audit Scope
   Define the population, dates of service, area(s) of the operation that will be involved, and people to be questioned. Determine whether the audit will be prospective or retrospective, whether it will be a sampling or probe audit (a small random sample) or comprehensive in scope. Establish the time frame, including milestone dates for conducting the audit. Determine who will perform the audit. Determine if legal counsel should be involved in the audit process.
4. Perform Preaudit Planning
   Determine audit criteria and identify specific regulations applicable to the audit. Determine appropriate sample selection method. Determine which documents will be audited and how the data will be submitted (for example, claims to be listed on a spreadsheet with predetermined data fields). Create a data collection tool to track the items requested, as well as additional documentation collected and/or submitted, dates, times, findings, notes, etc.
5. Notify the Area(s) Being Audited
   Prepare a notice to employees who will be impacted by the audit and include pertinent information about the audit, the purpose of the audit, objectives, scope, timing, documentation to be submitted, and any expectations of them before, during, and after the audit.

Execution Phase
The execution phase can be divided into two distinct phases: initial meeting with team and conducting the audit.

Initial meeting with team: Plan and schedule a preaudit meeting with all impacted employees to explain the audit, review the process and any associated documents, review data collection tools, and set milestone dates. Answer questions. Set expectations.

Conduct the audit: Keep impacted organizational area(s) apprised along the way of any findings and urgent actions to be taken if necessary (for example, temporarily hold submission of claims for a particular error until a mitigation strategy can be implemented).

Reporting Phase
The reporting phase can be divided into three distinct phases: draft audit report, management response, and final report.

1. Draft Audit Report
   Develop a draft audit report that includes findings, recommendations designed to correct any potential weaknesses or areas of noncompliance discovered during the audit, and requests for management response to each finding/recommendation, including corrective action plan(s) to be developed and implemented.
2. Management Response
   Submit audit report with findings in draft form to impacted employees to obtain their comments and feedback. Include a request for root cause analysis and corrective action plans, as applicable. Provide specific due dates for responses.
3. Final Report
   Review and incorporate feedback into a final report. Send the final report to all impacted employees, senior leadership, and compliance or audit committee. The final report should include the following sections:

Purpose

Objectives

Scope

Methodology

Regulatory framework

Findings

Recommendations

Follow-up Phase
The timing of the follow-up phase will vary depending on the type of audit, audit findings, management responses, and corrective actions to be implemented. However, each of the elements below must be confirmed prior to closing the audit:

Confirm successful implementation of corrective actions.

Verify that management responses are implemented.

Assess new processes, procedures, and actions.

Once confirmed, a pass/fail notification may be issued, as appropriate, and the audit can be closed.

Question 15

What are the differences between statistical and non statistical sampling?

Answer 15

In studying a population, it can be reviewed it in its entirety, or a sample of the population can be reviewed using statistical sampling where the results can be extrapolated to the entire population, or a sample of the population can be reviewed using nonstatistical (judgmental) sampling where the results are constrained to the sample itself.

Statistically valid sampling is the most credible for identifying a risk problem. However, it is resource intensive and requires expertise in defining the statistically valid sample.[5] Statistical sampling is mostly about the practice of making statements regarding the characteristics of a large population based on a reasonable, thorough review of a representative sample. This practice has many relatively formal rules largely based on scientific knowledge. These rules concern how a population is defined (and how a “sampling frame” of the population is created), a random sample is drawn, a thorough review is accomplished, and an extrapolation about the population is determined. Randomness is essential to assert that the sample is an unbiased estimator of the population mean.[6]

Use of statistical sampling is widespread in healthcare audits and investigations. For example, CMS uses statistical sampling methodology to estimate the amount of overpayment(s) made on claims and provides guidance to its contractors (Unified Program Integrity Contractors (UPICs), Recovery Audit Contractors (RACs), Supplemental Medical Review Contractors (SMRCs), and Medicare Administrative Contractors (MACs)) on the use of statistical sampling for overpayment estimations. These instructions are provided to the auditors so that a sufficient process is followed when conducting statistical sampling to project overpayments.[7]

The OIG’s Office of Audit Service relies on statistical sampling and, in the late 1970s, created the RAT-STATS statistical software that is still used today and is available for free on its website. Providers can download this software to assist in claims review. Among other things, this software assists the user in determining the appropriate size of a sample to achieve a desired confidence, selecting random samples, and evaluating results of a sample to estimate improper payment amounts. Providers, however, are not required to use RAT-STATS in their own sampling.[8]

Other types of sampling are also available, even though not statistically valid. These tend to be more commonly utilized due to resource limitations and other variables. Nonstatistical sampling does not involve the use of statistical calculations. It removes probability theory and is entirely dependent on the auditor’s judgment. Nonstatistical sampling is more frequently used by very experienced auditors with a good knowledge of the data set.

Question 16

How does Attorney Client Privilege affect audits?

Answer 16

With regard to audits and investigations, attorney-client privilege applies in limited circumstances and only where an attorney directs the review or audit and the confidential communications between an attorney and his/her client is made for the purpose of obtaining or providing legal advice. Under attorney-client privilege, a client cannot be compelled to reveal verbal or written communications received from his or her attorney, and the attorney is not obligated to disclose communications from the client.

Therefore, a compliance officer’s first step after talking with in-house counsel is to send in-house counsel written correspondence requesting legal advice, or alternatively, in-house counsel will send the compliance officer written correspondence asking the compliance officer to perform an audit under his or her direction in furtherance of providing legal advice to his or her client (likely senior management) and/or in anticipation of litigation.

All decisions and communications regarding the audit or investigation should then pass through the attorney. It is important to prevent accidental disclosure of protected communication, as this would effectively waive the privilege.[9] If a document that is otherwise privileged is shared with a third party, then the privilege is lost. A third party is generally anyone other than the organization’s attorneys and employees with a need to know. It is therefore critically important that the company keep legal advice confidential. It cannot be passed along outside the company.

Note that “confidential” does not mean “privileged,” and labeling something privileged does not make it privileged. Privilege depends on whether the communication is for the purposes of obtaining or receiving legal advice. Further, to receive protection under the attorney-client privilege, internal audit reports prepared by attorneys should clearly state that the report constitutes legal analysis and advice rather than general business consulting. All correspondence and documents produced in conjunction with the audit should be labeled as confidential and subject to attorney-client privilege.

Question 17

How can oversight be provided to vendors?

Answer 17

Subcontractors, or vendors, many of which may be “business associates,” as that term is defined in the HIPAA Privacy Rule, must also comply with regulatory requirements applicable to the provider. A vendor is, in essence, an extension of the provider. So providers must establish and implement an effective system for routine monitoring and audits to evaluate the vendors’ compliance with regulatory requirements.

Most vendor contracts should have a provision requiring that the vendor comply with applicable laws and regulations and a provision giving the provider or organization the right to audit and require remediation. Common risks associated with vendors include regulatory noncompliance, potential for submitting false claims, privacy and security violations, reputational harm, additional enforcement actions, loss of business, decrease in market share, increased vulnerability to litigation, and others.

Healthcare organizations should perform a vendor risk assessment and develop a vendor monitoring and audit plan based on the risks identified. Of particular importance are vendor oversight and accountability, documentation and reporting (providers should receive routine reports from vendors), and independent reviews of vendors’ risk management and compliance program processes.

Question 18

What is a program assessment?

Answer 18

A healthcare compliance program assessment involves the analysis of an organization’s internal data to refine and improve the organization’s compliance function. It is the process of gathering, reviewing, and discussing information from multiple sources in order to develop an understanding of the compliance program’s strengths and weaknesses, such as the following:

Development and implementation of the compliance program

The level of working compliance knowledge

The existence of a culture of compliance throughout the organization

Question 19

What fundamental concepts should program assessment methodologies include?

Answer 19

Target definition: What is being assessed and what is the scope of the assessment?

Identification of necessary data: What information is needed for the assessment?

Information collection: What is the process by which information will be requested and compiled for review?

Data analysis: How will the information be reviewed, analyzed, and scored?

Development of conclusions and recommendations: What are the results of the assessment and what action steps are available to improve the compliance program?

Responsibilities: Who will be responsible for each prioritized step and within what time frames?

Prioritized process changes: Of the identified recommendations, what is top priority for compliance program improvement?

Reevaluation: How did the changes affect the compliance program, and what adjustments are needed in the future?

To successfully perform an assessment, it is essential to form a comprehensive understanding of what a compliance program is and what it means to that organization. This understanding will drive the assessment process for not only the evaluators, but also for the recipients of the assessment results.

Question 20

What is a compliance program’s purpose and effectiveness?

Answer 20

The primary purpose of a compliance program is to promote organizational conformity to applicable federal and state laws, private and commercial payor requirements, and patient expectations. Healthcare compliance is the continuous process of understanding and adhering to the legal, ethical, and professional standards applicable to healthcare organizations. It requires the development of organizational processes established by policies and procedures to define appropriate conduct, educate the workforce, and monitor/audit adherence to compliance directives. An effective compliance program can help protect healthcare organizations against fraud, waste, and abuse, as well as other potential liability areas.

A compliance program should articulate and demonstrate the organization’s commitment to both the law and ethical standards. As such, compliance programs are designed to establish an organizational culture that promotes prevention, detection, and resolution of conduct that is inconsistent with the law or the organization’s policies and standards of conduct.

The U.S. Federal Sentencing Guidelines for Organizations (FSGO) is a federal law that pertains to the assessment of damages in cases of fraud against the government; it includes the essential requirements of an effective compliance program.[2] Effective healthcare compliance programs are premised on these seven elements, as outlined in chapter 8 of the FSGO. This is the industry standard for effective compliance programs. The seven elements are also the basis of the compliance program guidance documents published by the OIG for a variety of healthcare industry segments.

To help guide application of appropriate measures for ethical and legal operation, an effective compliance program will have implemented each of the following elements in a robust manner:

High-level oversight

Established standards and procedures

Open lines of communication

Education and training

Auditing, monitoring, and reporting systems

Response and corrective action

Consistent discipline for noncompliance

Healthcare fraud has greatly increased the pace and intensity of oversight and investigation of healthcare organizations.[3] Establishing an effective compliance program is a necessity to protect healthcare organizations against missteps within a highly regulated and rigorously scrutinized environment. An effective compliance program is a crucial component to preventing fraudulent claims and erroneous billing, preparing for potential audits, and avoiding ethical conflicts in business operations and patient care services.

Compliance program effectiveness continues to be a focal point of government oversight agencies. Simply having the necessary elements of a compliance program (such as a hotline, code of conduct, training, and policies and procedures) does not guarantee effectiveness. Several factors indicate the effectiveness of any compliance program, including but not limited to the following:

Demonstration of an ethical culture in which organizational decision-making aligns ethical values to strategic goals.

All members of the workforce (executives, employees, board members, medical staff, volunteers, vendors, etc.) are held to the same standards of professional conduct.

The willingness of the workforce to speak up and ask questions, as well as the organization’s responsiveness to those inquiries.

The hallmark of an effective compliance program is the organization’s capacity to evolve and improve over time in response to incidents and lessons learned. In healthcare, effective compliance programs also achieve strategic goals, thereby allowing for the delivery of high-quality patient care.

The central challenges for compliance programs are the operationalization of ethical standards and the elevation of values-based behaviors consistent with the Department of Justice’s (DOJ) guidance, which emphasizes results over content alone.

Question 21

How is program effectiveness measured?

Answer 21

Often the effectiveness of an organizational compliance program is more qualifiable than quantifiable (i.e., a culture of trust, workforce integrity, promotion of compliant behaviors, response to issues of noncompliance, etc.). However, quantifiable metrics are available for comparison and outcomes determination, which when combined with a qualifiable evaluation can provide a meaningful gauge of the program’s effectiveness.

Measurable aspects of a compliance program can include, but are not limited to, the following:

Regular reporting of compliance-related activities and investigations to the organization’s governing body, including documentation of questions asked and actions taken.

Policies and procedures that are regularly reviewed and updated to provide context to an organization’s ethical values and proper communication to the workforce and relevant external parties.

Completion of regular and relevant workforce compliance training to integrate a culture of compliance into daily operations.

Regular completion of a risk assessment and development of a compliance work plan to address identified risks.

Confidential reporting processes so that the workforce has the ability to report concerns or questions of potential misconduct.

Compliance program benchmarks, including staffing, salaries, budgets, program responsibilities, and activity metrics.

Question 22

How is a compliance program administered?

Answer 22

Although everyone in the organization is responsible for compliance, the Department of Health and Human Services Office of Inspector General’s (OIG) compliance program guidance recommends designating a compliance officer and other appropriate oversight bodies.[5] These may include a compliance committee and board of directors’ subcommittee to operate and monitor the compliance program. Additionally, the second FSGO element of an effective compliance program—compliance program administration—expressly addresses the role of the board and high-level personnel in compliance programs.

As a whole, an organization’s board is ultimately responsible for overseeing and managing efforts to manage risk and ensure compliance with applicable laws and regulations. Knowledge regarding content and operations of the compliance program, coupled with oversight of the execution of the program, form the foundation of the duties of the board to safeguard effectiveness.

Senior management plays a significant role in guiding successful implementation of an effective compliance program as well. Senior management must allocate sufficient human and financial resources to these efforts. More importantly, senior management can also foster a robust ethical culture by setting a strong tone from the top and providing an example of ethical behavior and values to the workforce on a daily basis.

The compliance officer serves as the focal point for all organizational compliance activities. Designating a compliance officer with the appropriate authority is critical to the effectiveness of the program. Designating that executive position in the organization with direct access to the company’s governing body, the CEO and all other senior management and legal counsel, is absolutely necessary.

Healthcare organizations cannot achieve an effective compliance program if the effort is not strategic and championed by leadership. The compliance program must be developed and implemented with an overarching and comprehensive strategy so that the workforce fully understands what needs to be done and can reliably carry out compliance measures in daily operations. To align compliance with strategy, an engaged leadership invested in achieving the objectives of the compliance program must participate fully in the requisite responsibilities and provide an example to the workforce. The organizational strategic plan must include necessary resources dedicated solely to compliance, such as human resources, technology, and training. Strategic planning must encompass compliance efforts in order to identify and mitigate risk, meet regulatory demands required for operational success, and achieve sustainable strategic results.

Question 23

What are important assessment factors to consider when assessing a compliance program?

Answer 23

A periodic critical review of a compliance program is essential to assess whether or not it meets organizational objectives, accurately reflects the organization’s operations, and addresses compliance risks. The compliance program must not only be in place, but it must also be evaluated regularly. Key factors to consider in the assessment include review of existing policies, practices, procedures, and internal controls related to the prevention of fraud, waste, and abuse. Further, individuals in the organization who have specific compliance responsibilities will provide important input regarding the effectiveness of the compliance program.

In its compliance program guidance for various healthcare organizations, the OIG includes the requirement of regular (typically at least annual) review of a compliance program.[6] Accordingly, industry best practice includes performing annual internal assessments, with an additional external review every three years to provide an objective evaluation.

Internal controls, the review of which are the basis of an assessment, are processes in place designed to safeguard operational success and provide reasonable assurance regarding the achievement of operational objectives. Some of these objectives may include the effectiveness and efficiency of operations, compliance with applicable laws and regulations, and accurate and reliable financial reports. An effective internal controls environment that incorporates clear processes and guidelines ensures an organization’s resources are used for their intended purposes, thereby minimizing the risk of misuse.

Examples of internal controls reviewed during an assessment include the following:

Existence and regular review of key compliance policies and procedures

Regular reporting of compliance program activity to the governing body

Assurance of appropriate staffing and resources necessary to meet the demands of the compliance program

Verification that background/sanction checks are conducted in accordance with applicable rules and laws (e.g., employment, promotions, and credentialing)

Evaluation of audit results conducted by external entities

Monitoring for documentation of consistently applied disciplinary action

A meaningful assessment can provide invaluable insights with important recommendations for improving the compliance program’s overall structure and effectiveness. Although feedback on the compliance program is important, there is a risk that organizational leadership may view a report and completion of recommendations as simply a “check the box” exercise. To get the most out of the assessment, a tactical approach is necessary for successful utilization of the results. First, each of the assessment recommendations should be aligned with the associated compliance program element. Leadership should determine whether it is a regulatory or organizational policy requirement or industry best practice. The report and associated findings should be presented, along with recommendations and a suggested prioritized schedule of milestones and deadlines, to affected leaders of the organization to secure commitments to mitigate identified gaps. This should include compliance department staff, department leads, the compliance committee, and the governing body committee or board. Finally, it is important to monitor improvement on a consistent basis and share lessons learned regularly.

The effectiveness of an organization’s compliance program can have significant influence on the outcome of an external investigation. The United States Sentencing Commission and DOJ have specifically cited the presence of an effective compliance program as a key consideration for investigation and prosecution of criminal liability in organizations.

The FSGO states that compliance standards and procedures reasonably capable of reducing the prospect of criminal activity include the seven elements of an effective compliance program. Further, “if an organization can demonstrate that it had put in place an effective compliance program” the potential fine can be mitigated by 95% in some cases.

Question 24

When performing a self assessment, what is involved in planning the assessment?

Answer 24

Planning the assessment is a vital first step in the process, and it includes the involvement of people across the organization. The decision to perform an assessment should be made by organizational leadership and the governing body in coordination with the compliance department and the compliance committee. An assessment requested and authorized by the governing body carries the most weight both internally and externally. Strong organizational leadership will set the tone of the assessment, as well as affect the reception of its findings and recommendations.

The primary purpose of the assessment is to evaluate the existence and effectiveness of key fundamental program elements and engagement of the workforce in carrying out necessary organizational compliance activities. This includes identification of those organizational entities as well as the affected departments and leaders.

If resources and expertise allow, the assessment can be performed internally by the compliance department; however, an external review is a sound alternative for resource-limited organizations or those requiring a specialized assessment. Additionally, utilization of an external expert adds objectivity and provides insight into how the compliance function may be viewed by a government agency or business partner. As a best practice, an external assessment is recommended every three years to provide an objective evaluation.

Whether performed internally or externally, a proper assessment requires an investment in time, effort, and staff. In most organizations, the assessment’s management will likely fall to the senior compliance executive. Significant coordination and management are required for document acquisition and review, interview scheduling and performance, and analyses and reporting.

Additionally, the organization must determine whether the assessment will be performed under attorney-client privilege. The attorney-client relationship affords a distinct right to have assessment information protected from required disclosure to any third party, including business associates, competitors, government agencies, and even criminal justice authorities. Another benefit to performing an assessment under the direction of counsel is that knowledge of any performance or documentation gaps uncovered can be examined and addressed with a lower probability that the results will be discoverable in legal proceedings.

Some of the essential components reviewed during an assessment include the following:

Background Materials
Industry benchmark information: budgets, staffing, and salaries

Regulatory requirements

Government updates

Professional associations’ (HCCA, AHIA, AHLA, AAPC, etc.) guidance about recent industry updates

Others

Compliance Program Materials
Administrative and operational information (i.e., organizational and structural relationships and committee meeting agendas and minutes)

Compliance program documents (i.e., compliance program plan and charter, code of conduct, compliance risk assessment and work plans, compliance activity dashboard, compliance committee charter and membership, compliance officer job description, and essential compliance policies)

Internal and external audits (i.e., government payors, third-party payors, information technology, and Medicare overpayments and repayments)

Training and education information (i.e., compliance training materials, communication materials, and interview forms)

Listing of any management or board compliance concerns or questions

Interviews
Introduction and questions

Contact person for scheduling

Interviewees

The assessment is designed to evaluate an organization’s existing compliance program and provide meaningful feedback on the effectiveness of the various elements and identified gaps. There is no prescribed method for performing an assessment; however, consideration must be given to the organizational structure and departments to be included in the review scope. Due to the ever-evolving regulatory environment and the associated requirements, it is important to evaluate a significant amount of information in complex organizational structures.

Compliance applies to all areas of the organization. That said, due to the high degree of regulatory scrutiny, certain departments and operational functions are central to the assessment itself. These include revenue cycle, physician compensation arrangements, information technology, human resources, real estate and joint ventures, accreditation, and supply chain. It is important to review materials and interview key individuals who are responsible for these areas to evaluate the strength of internal controls. Other departments and operational functions should be included in the assessment based on the organizational strategic plan and any known or potential risks.

Question 25

When performing a program self assessment, what is involved with gathering assessment information?

Answer 25

As with any critical evaluation process, there will be challenges to obtaining the necessary information for the assessment. To address these challenges, it is important that the assessor is knowledgeable of compliance program fundamentals and organizational strategic goals. Additionally, as individuals involved in the assessment will have varying levels of familiarity with compliance, the assessment process itself may provide an opportunity to offer education related to key elements of compliance that affect various departments and operational functions. Similarly, the recommendations provided must take into consideration the operational aspects of each area. Implementation of compliance program improvements must be attainable for the affected departments to achieve the desired result of a robust and effective compliance program.

Question 26

When performing a program self-assessment, what is involved with the assessment report and response?

Answer 26

Following the review of materials and interviews with key stakeholders, the compliance officer (or another employee ultimately responsible for the assessment) should identify compliance program strengths and areas for improvement. Additionally, the results should be collectively confirmed by compliance department staff to establish the assessment findings and recommendations. In accordance with industry best practices, recommendations should address aspects identified for improvement, and critical observations should be provided to the organization’s compliance committee and governing body. The assessment should generally include findings associated with leadership’s role in compliance, compliance program resources, operationalization of key concepts, reporting to the governing body, and organizational initiatives.

Given the potential risk involved in the various elements reviewed during an assessment, the organization should establish a method for prioritizing the issues discovered. This prioritization should inform decision-making by leadership and the compliance officer, both in terms of resource assignment and timeliness.

Once the assessment is complete and the report has been produced, it is important to develop a work plan that contains actionable items. The assessment report should create a roadmap for prioritized improvement opportunities following the report priority rankings. The improvement opportunities should be cooperatively developed with department leads and should be monitored on a consistent basis. Lessons learned throughout the process should be noted and shared with leadership as part of continued program development.

Compliance program assessment is a vital and valuable tool for healthcare organizations. It provides the quantifiable goals necessary to assist continual compliance program improvement. Similarly, an effective compliance program is key to ensuring an organization is positioned to address issues. Misconduct and compliance concerns affect the achievement of strategic goals and objectives for the organization as a whole; a solid compliance program is a healthcare organization’s best and strongest opportunity to prevent them before they manifest—assessment helps ensure compliance programs not only exist but are also effective in achieving those organizational goals.

Question 27

What are internal investigations and why are they important?

Answer 27

A good investigation can act as a shield, bolstering an organization’s defense and helping to avoid liability or mitigate damages. However, it is far more common that an investigation is a sword to find and cut out wrongdoing in an organization before an outside party or agency comes in.

Complaint intake and investigation are a company’s first (and possibly only) opportunity to hear about an allegation, check it out, and, as necessary, fix it. No compliance program is foolproof—there is always some person who slips through the cracks and behaves badly (often called the “bad apple”) or some system of controls that breaks down. While much of ethics and compliance is about prevention, detection is its twin, and the best tools of detection are often effective complaint intake and investigation. In hindsight, a government agency, judge, or even jury will ask the following of an investigation:

What did the organization know?

When did the organization know it?

How quickly did the organization undertake an investigation?

Was the investigation adequate?

Did the organization detect and adequately address any wrongdoing in a timely and appropriate manner?

Did the organization follow up on the effectiveness of the corrective action?

Having an effective framework for complaint intake and investigations helps an organization cut down risks at an early stage, manage employee and external issues, and message the expectations employees and the public can have about how the organization manages such matters and those involved. The framework and tools for investigations should reflect the values, philosophy, risks, and goals of the organization. To make good decisions, you need information. Complaints and investigations provide access to information and can be valuable tools in analyzing data, correcting problems early, and spotting possible trends.

Question 28

How is an organizational investigation program created?

Answer 28

Regardless of the organization’s size, most organizations have investigations occurring—whether as part of a structured and thought-out formal program by trained personnel or as done on the frontline by managers who hear issues of concern. Therefore, it is important to identify the current personnel who undertake organizational investigations and get their input, buy-in, and alignment as you seek to create a formal organizational investigations program. Further, organizations should consider any change management needed to move from the current state to an implemented investigations program with compliance oversight.

Organizations considering and developing an organizational investigations program should undertake the following basic steps:

Identify the organization’s information points and possible sources of information for issues and complaints of all types.

Identify the investigations framework currently in place.

Conduct a skills assessment of those who have or could potentially be asked to conduct investigations and develop or identify a training program for internal investigators.

Design or evaluate the investigations framework, with an eye to the organization’s risk profile.

Consider the organizational philosophy and strategic goals regarding investigations and the rights and expectations of witnesses and investigators.

Consider with other key risk management functions whether any additional policies or procedures are needed and develop accordingly with any necessary training modules or implementation support.

Schedule a timeline for the implementation of the investigation’s framework considering existing investigative activities (and the input and buy-in of those stakeholders) and organizational culture with change management in mind.

Implement the designed organization structure, measure and monitor effectiveness, and adapt to changes in organization and environment as needed.

In addition to these steps, there are a few other matters to consider in creating an investigations program: the need for an investigations case management system, the issues of attorney-client privilege, the possibility of the need to report an issue to a government agency, and global issues.

Question 29

When creating an investigations program, how are the organizations information points found?

Answer 29

Employees always have information about where the issues and systems breakdowns are; the real trick is obtaining and effectively harnessing that information. Effective compliance functions tap into the organization’s many information sources and provide employees and others a safe place to share important information about suspected problems and issues. Then the organization must have a mechanism to sort the chaff from the wheat to determine which information and issues merit investigation and manage those investigations accordingly.

Thus, the first task for organizing an investigation framework is to identify the various information points in an organization (those persons and functions likely to be frontline recipients of complaints and reports). Following, the compliance function should create or utilize the various paths to reporting and encourage that reporting. Finally, the organization must determine how and where to handle the different types of investigations.

Organizations need to consider, based on their size and organizational structure, where information points for employee complaints exist. Most organizations have a variety of sources of information and information points that will include some or all of the following:

Employee or partner/vendor background checks

Personal reporting by an employee, vendor, consultant, or other party to a manager or to human resources, security, compliance, management, or other personnel

Compliance helpline reporting (phone/electronic)

Workplace rumors

Audit reviews

Expense report incongruities

Calls, emails, or letters from friends/family of employees or vendors, consultants, partners, or competitors

Anonymous calls, emails, texts, or letters

Websites, blogs, apps, and other social media posts/communications

Exit interviews

Information from the Employee Assistance Program

Contact from law enforcement, government investigators, or news personnel

Employee disciplinary actions

Litigation trends

Liability insurance trends

Risk assessment or other employee surveys

Increasingly, because social media channels allow such broad communication by nearly anyone, it is important to consider whether and how to engage in social listening/monitoring about issues that may be published about the organization. The reality is that much information about possible compliance violations or issues is still directly transmitted person-to-person, and the company and compliance function need to take care to ensure that the information makes its way to the appropriate location for issue management, investigation, and resolution. It is important for the compliance function to have insight into these reporting avenues and understand who controls the information flow from them. Based on that assessment, the organization needs a mechanism to make decisions about which matters need to be funneled where and create effective documented processes or procedures to ensure proper handoff.

Once the information sources are determined, and the investigations program is designed, it is important that (at a minimum) those persons in a position to receive information related to complaints or possible compliance issues be trained on the following:

Spotting the issues and their significance

Responding appropriately to the person raising the complaint, including addressing employee concerns about confidentiality

Getting the issues to the right party to manage and possibly investigate in a timely fashion

Preparing for ongoing monitoring to ensure that the issues have been effectively resolved and no retaliation is occurring

Question 30

When creating an investigations program, how is an investigations skills assessment conducted?

Answer 30

In addition to identifying the key organizational information points, it is important to understand the current skill sets and experiences of those in the organization as to investigations. Those skills may exist within the organization and/or with outside investigators the organization may opt to utilize. Regardless of whether investigations are to be done by internal or external resources, it is important to understand the skills and experience of investigators working on behalf of the organization and develop a training/onboarding program to ensure they are acting in a manner consistent with the organization’s intentions and desires; they are the frontline in contact with persons providing potentially critical information, and how they manage the person reporting and this issue can have significant consequences for the organization and its reputation.

In addition to these items, you may want to ask about the outcomes of these matters and how they typically document their findings and conclusions and/or track and compare their investigations in each function. This assessment can be helpful in determining the ultimate structure and personnel for the investigations program and how to help develop the necessary skills for the future.

Question 31

When creating an investigations program, how is the program designed or evaluated?

Answer 31

The compliance function rarely has sufficient resources to conduct every workplace investigation—nor is that a requirement or necessity for an effective program. What is critical is that the compliance function have insight into the types of investigations being conducted in the organization with some nexus to the compliance function and that it has the opportunity to provide insight and oversight into the management of such investigations to ensure appropriate management and effective and consistent responses to issues, particularly those of a higher risk profile. At the very least, the compliance function should be involved in the creation of any investigations policy, standard operating procedure for report intake, and investigator protocol, in the communication loop as to ongoing investigations, and participate in monitoring resolution of the issues.

Ultimately the structure of an investigations program is a question of oversight, roles, and responsibilities. Once the information points are identified, processes should dictate which matters will be investigated and which teams will be responsible for each type of investigation. For example, some organizations have determined that investigations about claims of discrimination, harassment, and the like should be managed by the human resources and/or employee relations functions, while issues of fraud, abuse, and corruption likely need someone with more general compliance experience or oversight. Regardless of the division, it is important that the compliance function have, at least, visibility, communication, and coordination with those conducting all types of investigations, as issues often are not clear-cut. Nonetheless, each report of actual or suspected misconduct must be resolved appropriately.

Structures to consider for an investigations program include the following: centralized investigations management; semi-centralized investigations management; decentralized investigations management; and outsourced investigations management.

In all of these structures, there is also the question as to the role of Legal. It is best practice to have a trained attorney involved and/or responsible for the oversight of investigations to assist in managing the legal considerations and to help ensure the process of an investigation is thorough, programmatic, and defensible. Again, those matters with a higher risk profile, and the possibility of the requirement for public disclosure, should generally involve in-house and/or outside counsel; these would include matters of financial misconduct, as well as allegations of fraud, bribery, and any other potentially illegal activity. The attorney involved should also have his/her own skills and experience conducting investigations so that the oversight and assistance is tailored to the organization’s investigative needs.

Question 32

Define the 4 structures of investigations programs?

Answer 32

Centralized Investigations Program:
All investigations are performed by one central investigations group that trains its investigators on conducting investigations.
The investigations group is either part of the compliance function or reports its investigations findings to the compliance function.

Semi-Centralized Investigations Program:
Investigations are performed by more than one group, depending on the nature of the allegation, and training on conducting investigations is done by each group for their own investigators.
Each investigations group reports in some form to the compliance function about the investigations they complete.

Decentralized Investigations Program:
Individual groups perform investigations and training (if any) on how to conduct investigations.
There is little or no reporting to or oversight from the compliance function.

Outsourced Investigations Program:
Skilled external resources perform investigations.
There is oversight by organizational functions, which may include subject matter experts such as employee relations and/or compliance.

Question 33

How is the program philosophy and policy of internal investigations developed?

Answer 33

At the very least, organizations should develop a philosophy around how internal investigations are to be accomplished and the methods and means that are considered appropriate or not. The philosophy should address some basic questions: Will a subject always have an opportunity to respond to the accusations? Is one innocent until proven guilty? What techniques are acceptable for investigators?

This philosophy should also include the following:

Investigation processes and standards

Qualifications, expectations, and authority of investigators

Treatment and expectations of witnesses

Issues of cooperation and confidentiality

Communications related to the investigations and to whom

Investigation working papers, draft reports, and final documents

Access to investigative information and files

Appropriate retention and destruction periods for investigative data

Organizations should also consider implementing a written policy and procedure on internal investigations to address some or all of the following matters:

The investigation process and standard.

What is an investigation?

Who is authorized to conduct investigations? In what areas?

What is the investigator’s role (i.e., neutral fact finder, decision-maker)?

What rights do witnesses have (including access to information about the allegation)?

What is expected of witnesses (e.g., cooperation, confidentiality, and evidence preservation)?

Reporting/communicating about investigations to senior management/others.

Complaint reporting channels (where and how complaints can be made).

The policy against retaliation/retribution.

For reference, see the Resource: Sample Internal Investigations Policy after this article.

Question 34

What role does confidentiality play in internal investigations?

Answer 34

Organizations have long recognized the critical importance of maintaining confidentiality with respect to internal investigations. Confidentiality is important to protecting the integrity of evidence and the investigation itself. It can help minimize the possibility of retaliation against reporters and witnesses and of employees tampering with evidence or speaking to potential witnesses before the company’s investigators have an opportunity to do so. It also respects the privacy rights of the employees involved in the investigation. However, the National Labor Relations Board (NLRB) has called into question company practices of requesting blanket confidentiality for all internal investigations.

In the case of Banner Health, the NLRB found that an organization’s interest in maintaining the confidentiality of all investigations is insufficient to outweigh employees’ Section 7 rights to concerted activities for their mutual aid and protection.[5] To minimize the impact on Section 7 rights, the NLRB held that companies must first establish, with respect to any particular investigation, that confidentiality is appropriate because of the need for witnesses or evidence protection or for some other legitimate business justification.

Organizations should consider the Banner decision in formulating their investigations procedures. It should be noted that the scope of the ruling applies only to nonmanagement witnesses. More specifically, investigations procedures, such as the standard instructions given at the beginning of an investigative interview, should include consideration of the need for confidentiality (and, where there is a need, documentation of that) with respect to all investigations. State and federal laws should also be considered during policy development, as some states permit recordings as long as one person is aware while others do not.