Frequently Asked Questions On Compliance Program Operations

Richard P. Kusserow | April 2015

Sanction Screening

  1. Must we notify employees/vendors they will be screened for exclusions?

Yes. Employees, vendors, medical staff, etc. must be informed that they will be screened for exclusions at the time of engagement and periodically thereafter.

  1. We heard from our attorneys that the Credit Reporting Act may apply to screening and background checks? What is it and how does it apply to us?

The Credit Reporting Act applies to credit agencies that gather information on individuals. This has been widely applied to any organization that screens employees. As a result, organizations must include on their employment applications, medical staff privilege agreements, etc., that the individual agrees to the screening and has provided accurate information.

  1. Why is the employment application a critical piece to sanction screening?

The application is critical because it is used to gain consent from the employee for sanction screening by the organization. In addition, the application should ask whether the individual has been subject to or is currently under investigation for an adverse action by a regulatory agency. The application should state that sanction screening is a condition of employment. Furthermore, if the individual becomes subject of an investigation by a regulatory agency then the individual must report it to the organization. It is important to have such employment stipulation in the application. For example, if at time of hire the employee is not sanctioned/excluded. But, six months later the adverse action is implemented. Then, the organization has grounds for termination.

  1. We screened someone at time of hire and they were not a hit on any exclusion list. However, they were later added to a list for a previous case. Do we have to terminate?

Yes, you cannot employ someone who is excluded from participation. This is an example of why it is important for the employment application to include a section on sanction screening. If the person lied on their application it is grounds for termination.

  1. What should the application include to help meet our sanction screening obligation?

Their name and any previous names used, whether they have been subject to enforcement by a regulatory agency and whether they are currently under investigation.

  1. Must we screen all physicians who refer patients to us?

You should screen physicians that are known to you. It is not required to screen referring physicians or physicians with no relationship with the organization.

  1. What authority says we have to terminate an employee or contractor who is on a sanction or exclusion list?

The Department of Health and Human Services Office of Inspector General’s position is that excluded parties include on a claim for reimbursement is considered a violation of the Federal False Claims Act. Further, hiring or engaging with non-excluded parties is a Condition of Participation in federal healthcare programs.

  1. Who is responsible for sanction screening?

There is not right or wrong answer. Some organizations centralize the screening to be handled by one department, e.g., Compliance Office, Human Resources. Other organizations task different departments based on the type of screening, e.g., Compliance Office conducts routine screenings on existing employees, HR conducts new hire screenings and Procurement Department conducts vendor screenings.  Whichever way your organization decides to handle sanction screening, it is important the process is documented in a policy document to ensure all parties involved are aware of their responsibility.

  1. Which federal and state lists should be checked?

The Department of Health and Human Services Office of Inspector General’s (OIG) List of Excluded Individuals and Entities must be screened. In the OIG’s Updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs, the OIG states that the General Services Administration’s System for Award Management debarment list cannot be screened as a substitute for the LEIE; this position also applies to the National Practitioner Data Bank. Additionally, many states maintain a separate Medicaid exclusion list. If the state(s) in which you operate maintains such a list, you must also screen that list. Determine what the state requires; it varies from state to state.

  1. We have problems screening against the GSA’s System for Award Management Debarment List. Must we screen this list? What is the OIG’s position?

The Centers for Medicare & Medicaid Services is the only agency that encourages screening the General Services Administration System for Award Management (SAM). The problem is though the list can create false hits. The Department of Health and Human Services Office of Inspector General is not enforcing actions against providers that engage an individual included in the SAM debarment list.  The SAM debarment list includes debarments imposed by all federal agencies. The purpose of the list is for federal agencies to screening during the federal contract process.

  1. We received conflicting guidance on the frequency to conduct sanction/exclusion screenings. What is actually required?

In the OIG’s Updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs, the OIG suggests monthly checks against the List of Excluded Individuals and Entities to reduce the risk of Civil Monetary Penalties. Also check for state Medicaid requirements. Certain states with exclusion list stipulate monthly screening.

  1. What do we do if we identify a sanctioned or excluded employee or contractor?

Organizations should follow the Department of Health and Human Services Office of Inspector General’s self-disclosure protocol, which can be found at:

  1. A doctor from another state referred a patient to us. We screened the doctor and found a hit. We have issues resolving the hit. What is the best way to deal with this issue?

Screening physicians that do not have staff privilege is not required by the Department of Health and Human Services Office of Inspector General and, therefore, does not need to be done. Many times, when screening a referring physician you only have the physician’s name and license number. In some cases this may not be enough information to rule out a match because most exclusion lists do not have the license number. Therefore, you only have a name. If you do screen the referring physician and determine that the physician is excluded then you cannot submit the claim for reimbursement.

  1. Who are we required to screen for sanctions and exclusions?

The general rule is to follow the money stream. Any employee, medical staff, vendor or contractor that is paid directly or indirectly, in full or in part, by federal healthcare funds should be screened.

  1. What are the benefits of changing from a S3 Tool user to outsourcing the whole thing? How much more does it cost? 

Outsourcing the sanction screening process saves you time and money. CRC has implemented an efficient and streamline process to screen and verify matches that enables us to keep costs low for our clients. The screening and verification of matches is conducted by experienced staff who are knowledgeable on healthcare exclusions. Outsourcing also decreases your use of internal resources, such as training staff, turn over, and time that can be spend doing other projects.   For more information about outsourcing sanction screenings visit or email Jillian Bower at [email protected].

  1. We use the S3 Tool that includes the UPIN/NPI database but not sure as to how that helps?

The National Provider Identifier (NPI) database can be used to gather additional information on a licensed practitioner or provider. The UPIN data is also available for the same purpose; however, keep in mind the UPIN is continued as of June 2007 and replaced with the NPI.

  1. What does it take to resolve a potential hit?

Validating a match should be done using the individual’s full name and at least one unique identifier, such as SSN, DOB or license number. Validating a vendor entity match should be done using the entity’s full name and TIN or D-U-N-S.


  1. How should we properly publicize the hotline?

The hotline should be publicized through posters, pocket cards, newsletter, meetings and trainings.

  1. What obligations do we have for offering confidentiality to all hotline callers?

Organizations must provide confidentiality to all callers that disclose information. The Department of Justice, U.S. Sentencing Commission and the Sarbanes-Oxley Act stipulate that if employees disclose their identity that the organization must maintain their information in confidence.

  1. Our legal counsel believes callers’ identities should be collected in order to assess reliability of the information provided. Must we do this?

You must give callers the option to report anonymously. This is also in the organization’s interest because it does not bear the burden of protecting reporters against retribution or retaliation.

  1. Must we offer anonymity to hotline callers?


  1. We get very few hotline calls, is that a good or bad indicator? What call volume is best?

Call volume by itself can not indicate good or bad. Based on national call data, average rate is one call per 1,000 employees per month or 2-3 percent of your employee population.

  1. Is there a set time frame to investigate hotline complaints?

No. However, the sooner complaints are investigated the better. Particularly because memories and recollection of what happened can change over time and that can hinder an investigation.  Also, keep in mind a violation of law must be reported in 60 day timeframe.

  1. How long should we keep hotline reports on file?

All hotline reports and corresponding resolution should be retained permanently.  If the reporter disclosed identifying information, it should be redacted from the file to protect the reporter. Retention of reports and the redaction of reporters’ information should be in written policy and not done on ad hoc basis.

  1. Is the CO responsible for investigating all hotline reports?

No, the reports can be handled by the specific program area managers or directors. For example, HR can handle HR-related reports. However, if the reports are received through the compliance hotline it should be document how the report was handled, i.e., handled by HR. Also, implement protocols between the Compliance Office, HR and Legal Counsel.

  1. Our hotline vendor emails us the reports and then the reports are emailed to the program manager. Is this an issue?

Yes, because email is not a secured method of transferring information, particularly sensitive information. Hotline reports can include reporters’ identity, Protected Health Information or proprietary company information. You do not know exactly what that information is in the report until you received it. Therefore, do not take a risk on handling the information.  To learn more about the Hotline Service Center visit or contact Jillian Bower at [email protected].

Written Policies and Compliance Documents

  1. What type of security is needed for compliance documents?

Compliance documents, such as hotline reports and results of sanction screenings, must be maintained in a secured area with limited access and within a locked file cabinet. Access to electronic files should be limited to only the individuals that need access. If possible, password encrypt files that contain sensitive information.

  1. We were told to maintain policies that have been revised or rescinded. Why should we do this?

Keeping previous versions of policies is important. If a legal issue is raised you will need to show the policy that was in place at the time the incident occurred. The policy at the time of incident will support why and how you responded in a specific way.

  1. How many CP policies and procedures do we need?

The number of policies and procedures is dependent of the size of the organization. The Department of Health and Human Services Office of Inspector General lists in their series of voluntary compliance program guidance documents numerous policies and procedures that should be implemented. In general, the number is between 12-20 specific compliance program related documents.

  1. We were advised that all our policies and procedures should be done by attorneys. If so, why should we worry about developing policies and procedures?

Attorneys are good at translating laws and regulations into policy. However, they lack the operational perspective to develop sufficient procedures to carry out the policy. Therefore, it is recommended to have procedures written by managers and directors with operational experience. It is also recommended to have a group of employees review the policy before implementation to ensure it is understandable and accurately lays out how to comply with the policy.

  1. What elements must be part of a policies and procedures document?
  • Header box to track the document
  • Background about the policy subject
  • Purpose of the policy
  • Scope covered under the policy
  • Policy statements
  • Procedures to effectuate the policy statements
  • Related policies and documents
  • Regulations citations used to develop the policy
  1. Who is responsible for developing, reviewing and revising compliance related policies?

Generally, program managers should develop, review and revise their own program policies. Therefore, compliance program related policies should be handled by the Compliance Officer.

  1. How often should we review, update and revise compliance related policies and procedures?

Policy documents should be reviewed on an annual basis, particularly ones that are based on a laws and regulation, such as payment rules, HIPAA, Affordable Care Act.

  1. What is the most effective Policy Resource Center search function?

All search functions are helpful and depend on the type of results you want to retrieve. The Keyword Search provides the broad set of results based on a specific word. The Category Search allows you to search based on a specific category and topic areas and produces a larger pool of results. The Advance Search provides the smaller set of results based on matches to specific keywords and phrases and omitting specific keywords and phrases. Lastly, the Recent Document Search is helpful to see what has been added to the Policy Resource Center in the last 90 days. To learn more about what the Policy Resource Center can offer visit or contact Jillian Bower at [email protected].

  1. What other compliance documents should we have in addition to policies and procedures?

Consider implementing the following types of documents:

  • Compliance audit and monitoring plans (CAMP)
  • Hotline report log
  • Compliance training Log
  • Communication protocols with Human Resources and Legal Counsel
  • Position descriptions for compliance office positions
  • Sanction screening report
  1. What types of policies and procedures should we have related to the hotline function?

The following are recommended policy documents:

  • Duty to report
  • Confidentiality
  • Anonymity
  • Resolution of complaints
  • Investigation
  • Relationship with HR, Legal Counsel, CO
  • Retention of hotline reports
  1. What policies are needed to support sanction screening?

The policy should establish how frequent sanction screenings will be conducted, who will be conducting the sanction screening and which source agencies will be screened.

  1. Should the Compliance Officer also take on the role of the HIPAA Privacy Officer and the HIPAA Security Officer?

It is common for the Compliance Officer and the HIPAA Privacy Officer roles to be handled by one person. However, the HIPAA Security Officer position should be an individual with experience in the IT area.

Compliance Surveys

  1. Why are compliance surveys for employees encouraged by the Health and Human Services Office of Inspector General and others?

In OIG’s series of voluntary compliance program guidance documents the OIG states that surveying employees can be used to measure the effectiveness of the compliance program (CP).  It is also in the organization’s interest to survey employees. Survey results can identify areas that warrant attention, as well as provide an early warning that employees need additional training in specific areas.

  1. What type of survey is best?

This answer depends on the circumstances and what you want/need to measure. The Compliance Culture Survey is ideal for a new compliance program and can provide results related to employees’ perception of compliance in the organization. Such results can be used to build and/or improve the compliance program. The Compliance Knowledge Survey is ideal for compliance programs that have been in operation for some time. The results can reveal whether employees are understanding the purpose of the compliance program and whether they retain the information.

  1. How can we make the best use of surveys?

Alternating different surveys is the best use of the surveys. Using the same survey each year will not provide a variation in the results that warrant doing the same survey. Instead, alternate between the Compliance Culture Survey and the Compliance Knowledge Survey.

  1. Any reason why we cannot develop and administer compliance surveys ourselves?

Developing and administering a survey on your own can lack objectivity. Further, the survey instrument has not been test and could produce unreliable results.  Utilizing vendor can be inexpensive and provide a better set of results.  Also, utilizing a vendor’s survey instrument gives you the ability to compare your results against similar organizations.  To learn more about the Compliance Survey Center visit or contact Jillian Bower at [email protected].

  1. What information can a survey provide to help make the CP more effective?

Survey results identifies strengthens and weakness in your compliance program. These results can be used to emphasize specific areas in employee training.

  1. How can we have confidence that our CP satisfies the seven elements?

Two things can ensure the compliance program satisfies the seven elements, ongoing auditing and monitoring and conducting staff surveys.

Compliance Training

  1. What kind of compliance training is most effective?

Training conducted in person by an experts that includes scenarios and case studies is most effective. This type of training is ideal when rolling out a compliance program. However, thereafter, utilizing interactive computer based training is effective. Any method of training should include questions to test the employees’ understanding and retention of the information. To learn more about the Compliance Training Center visit or contact Jillian Bower at [email protected].

  1. What types of written guidance should be included in compliance training?

In OIG’s series of voluntary compliance program guidance documents the OIG list specific policy documents that should be implemented. These policies should be addressed in general compliance program training or in specific/high risk area training.

  1. What metrics are important to evidence effective compliance training?

Testing employees is the most accurate method to ensure compliance training is effective. All training programs should include questions and scenarios to test whether the employees’ understand the information. The other important metric is conducting a Compliance Knowledge Survey with employees. The results will indicate how well employees retained the information.

  1. Who should keep the records of employee training (Compliance Office, Human Resources, individuals’ managers)?

There is no right or wrong answer. However, it is highly advisable that the Compliance Officer retains records on compliance program training. The record should include the training material, who was trained, results of training quizzes completed by the employees, and a signed attestation from all employees that they completed training. A copy can also be retained by HR in the employees’ files, if needed.

  1. How long should we retain compliance training records?

Compliance program training records should be retained permanently. It shows a pattern of training and effort by the organization.

Auditing & Monitoring

  1. Who is responsible for ongoing monitoring of high risk areas?

The program manager is responsible for monitoring high risks related to their program. As such, the Compliance Officer is responsible for monitoring the compliance program.

  1. Who is responsible for ongoing auditing of high risk areas?

The program manager cannot monitor and audit the high risks in their program. Therefore, the audit component must be done by an outside party, such as Internal Audit or the Compliance Office.

  1. Who is responsible for ongoing monitoring of sanction screening?

The department that handles the sanction screening. Some organizations have a centralized approach for screening and others divide the screening responsibility among the Compliance Office, Human Resources, Procurement Department and/or Physician Credentialing Department.

  1. Who is responsible for ongoing monitoring of the hotline function?

The Compliance Officer is responsible for monitoring the compliance hotline function.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.