Frequently Asked Questions: Compliance Programs Operations

Both the DOJ and OIG offering confidentiality to all callers that disclose information is a critical factor for effective compliance programs. The DOJ, U.S. Sentencing Commission, and OIG all call for providing employee confidentiality to employees and that organizations must protect the identity. 

The OIG, DOJ, and U.S. Sentencing Commission Guidelines stress that callers be given the option to report anonymously. This is also in the organization’s interest because it does not bear the burden of protecting reporters against retribution or retaliation.

Hotline reports and corresponding resolutions should be retained permanently.  If the reporter disclosed identifying information, it should be redacted from the file to protect the reporter. Retention of reports and the redaction of the reporter’s information should be in written policy and not done on an ad hoc basis.

Key factors that the OIG and DOJ consider in the effectiveness of the training are: 

• Whether it conveys the important and defined compliance information for covered persons 
• Verification that all covered persons underwent the training 
• Evidence of participant understanding, and retention of the information provided 
• Evidencing whether the lessons were applied in the workplace  

Most organizations use tests and quizzes to evidence employee understanding of the lessons, but that doesn’t address long-term retention.  One method to test retention is through conducting compliance program surveys long after training to obtain independent and objective evidence of what employees recall from the training.  

Ongoing Monitoring is the responsibility of the program manager, not the Compliance Officer. It includes: 

•  Keeping current with changes in rules, regulations, and applicable laws 
•  Developing internal controls, policies, and procedures to comply with them 
• Training staff on these rules 
• Taking active steps in monitoring or verifying compliance with these new guidelines 

Monitoring techniques may include sampling protocols that permit program managers to identify and review variations from an established baseline. Results from this process are often measured numerically as outputs.

Ongoing Auditing, by definition, must be performed by parties independent of the areas being reviewed.  It can be done by the Compliance Officer, Internal/External Auditing, Consultants, or any combination thereof.  One primary objective is reviewing the Ongoing Monitoring by program managers to verify they are meeting their monitoring obligations, validate they are functioning as they were intended, and identify weaknesses in the program that need to be addressed. This validation of the results of Ongoing Monitoring moves from measuring output to outcome.

The OIG has the authority to exclude individuals and entities from federally funded healthcare programs for a variety of reasons, including a conviction for Medicare or Medicaid fraud. A list of all excluded individuals and entities called the List of Excluded Individuals/Entities (LEIE) is maintained by the OIG. Any covered entity or Business Associate that hires an individual or an entity on the LEIE could be subject to civil monetary penalties.  To avoid penalties, your organization should periodically check the LEIE.  State Medicaid programs also maintain a database of Medicaid Excluded Individuals which CMS has called for monthly screening of all participating providers. 

The Credit Reporting Act applies to credit agencies that gather information on individuals. This has been widely applied to any organization that screens employees. As a result, organizations should include on their employment applications, medical staff privilege agreements, etc., that the individual agrees to the screening and that they have provided accurate information, as a condition of engagement.

There is no right or wrong answer. Some organizations centralize the screening to be handled by one department, e.g., Compliance Office, Human Resources. Other organizations task different departments based on the type of screening, e.g., Compliance Office conducts routine screenings on existing employees and HR conducts new hire screenings and Procurement Department conducts vendor screenings.  Whichever way your organization decides to handle sanction screening, it is important that the process is documented in a policy document to ensure all parties involved are aware of their responsibility. 

The OIG List of Excluded Individuals and Entities must be screened. In the OIG’s Updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Healthcare Programs, the OIG states that the General Services Administration’s System for Award Management debarment list cannot be screened as a substitute for the LEIE; this position also applies to the National Practitioner Data Bank. However, CMS calls for screening against that database. Additionally, states maintain a separate Medicaid exclusion list that should be screened monthly.  Other sanction databases include those maintained by the Drug Enforcement Agency, Food and Drug Administration, and Office of Foreign Assets Control (“OFAC”), among others. 

In the OIG’s Updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs, the OIG suggests monthly checks against the List of Excluded Individuals and Entities to reduce the risk of Civil Monetary Penalties. It’s also recommended to  check for state Medicaid requirements. Certain states with exclusion lists stipulate monthly screenings.