How Effective is Your Auditing Hotline Operation?

Hotline Reviews Should Demonstrate How Organizations Encourage Employees to Report Problems

More and more legal and regulatory requirements call for having an employee hotline, including the U.S. Sentencing Commission Guidelines for Organizations, recently passed Sarbanes-Oxley Act, privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA), Defense Industry Initiative (DII), U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) compliance guidance, Supreme Court decisions on sexual harassment, and others. In its various compliance guidance documents, the OIG stressed not only the importance of compliance communication and hotlines as a critical element of any compliance program but also the effectiveness. The problem for many is trying to determine how and what an effective hotline function should look like.

What is clear to most organizations is that they cannot operate their own hotline in house in a way that is cost effective. Compliance hotline vendors provide an extremely cost-effective alternative and should be carefully considered. However, like with any other purchasing decision, it is important to know what to look for. Even with vendors accepting the calls, the major part of any hotline operation is with the provider, and the challenge is making the hotline operation an integral element of any organization’s risk management, compliance, and ethics program. Once established, the hotline program should operate under strict policies and procedures. To do otherwise invites increased exposure to added liability and unwanted consequences.

There are great benefits to an organization in gaining feedback from those who are in the workplace. Information from the hotline may be able to alert management to issues affecting their bottom line, exposure to liability, morale of the workforce, et cetera. All this is possible if it is operated correctly.

A poorly managed hotline program can do just the opposite. It can educate people into believing management does not care to hear from them — or worse, will penalize anyone who tries to use the hotline. This, in turn, can lead to their silence, where they will not warn the organization of a looming problem. Worst of all, employees with no outlet for their concerns, frustrations, and problems within legitimate organization channels may seek redress outside. There are thousands of instances in which insiders (a) leak to the press; (b) engage an attorney and sue their employer (for sexual harassment, injury, slander, discrimination, et cetera); (c) inform regulatory authorities of unsafe conditions or other violations (d) report a suspected violation of law to a state or federal enforcement agency; (e) file a qui tam action (whistleblower suit); or (f) just leave the organization for another job.

Channeling information through legitimate avenues of communication is absolutely critical to the effectiveness of any compliance program. However, just establishing a hotline is not enough; it must be made credible and effective, or it will cause more damage than not having one at all. A hotline viewed as a “sham” invites cynicism and gives added rationalization to “blow the whistle” on the employer.

Best Practice Tips

Here are a few best practice tips to help ensure an effective hotline:

• The hotline should be the subject of ongoing auditing and monitoring.
• An audit should be performed by those independent of the program.
• Results should be documented in a written report.
• The review should document findings and suggestions.
• Reports should go to senior management and the board for action.

Ongoing Auditing of the Hotline¹

It is important to periodically conduct an audit of the hotline operation to determine (1) whether the hotline was operating in accordance with the established protocols, policies, and procedures; (2) that the level of documentation and evidencing of the operation is adequate to assure effectiveness; and (3) that the stated objectives for the hotline operation are being achieved. Reviews of the hotline function should focus on the actual operation of the hotline and whether it was being operated in a manner that was consistent with the established protocols, policies, and procedures designed for its operation. To be independent and objective, the audit should be performed by someone outside the Compliance Of?ce. The review should include:

• onsite review where information is received, processed, stored, transmitted, and managed;
• visible examination of the security of the files was made;
• examining a sample of cases to determine compliance with existing policies and procedures; and
• reviewing reports on the hotline provided to the executive and board level compliance committees for content and accuracy.

Review of Call Log

There needs to be a hotline call log, and it should be examined to ensure that it includes specific information for each call taken, including:

• caller identification number;
• identifying initials of the operator taking the call;
• date the call was received;
• whether investigation of the call information is required (yes or no);
• whether the investigation is completed (yes or no);
• whether follow-up action is needed (yes or no);
• whether follow-up has been completed (yes or no); and
• date of resolution.

Review of Written Guidance

Organizations with a hotline should have policies and procedures governing all aspects of the function gathered into a single manual which provide instructions and guidance on the operation of the hotline. The annual review should verify that the policies provide adequate guidance to hotline staff, are written in a clear and concise manner, have been distributed to all covered persons, and have been used in compliance training programs. The hotline-related policies should address:

• hours of the hotline operation;
• filing and numbering system;
• storage and access parameters;
• record retention policy;
• form and format of call information;
• manner by which calls should be handled;
• key review points that should be covered with the caller;
• ensuring caller understood the ground rules of the function;
• proper protocols to ensure that complete information is gathered;
• types of routine and investigative compliance services;
• general compliance reviews;
• conducting investigations;
• phone procedures for receiving hotline calls;
• general operating protocols;
• documentation and tracking of calls;
• record keeping and numbering;
• file retention;
• closure of cases; and
• contact list of key individuals that may need to be alerted to a call situation.

Finally, the review should take steps to and evidence that the organization encourages employees to report problems and is accepting of reported employee concerns or allegations of suspected violation of law, regulation, organization policy, wrongful behavior, and unethical conduct within the organization in the event that the existing management and human resources grievance procedures are inappropriate or unresponsive. The results of the audits should be reported in concise, clear statements. The following are some of the questions that an audit report should answer:

• Is the hotline operating in accordance with established policies and procedures?
• Are calls being diligently followed up to resolve issues and problems?
• Are hotline calls being resolved by responsible parties cooperatively?
• Are reports being acted upon in a timely manner?
• Has the hotline staff received training on their duties and responsibilities?
• Are call reports sufficiently detailed so as to permit appropriate follow-up?
• Are employees being reminded that the hotline is available for them?
• Are executive leadership and board being kept informed on the results of the hotlines?
• Is the hotline operation functioning as an effective compliance tool?
• Is there high use by employees, suggesting widespread confidence in the hotline operation?
• Are the anonymity and/or confidentiality of callers being protected?
• When test calls were made, were they answered by the second ring?
• Are all calls reported properly on the call log?
• Is the information received by the hotline maintained privately?
• Are those who evaluate and investigate hotline complaints properly trained?
• Are records kept regarding the duration of hotline calls?
• Is there appropriate file security, and are access controls limited to authorized persons?
• Are hotline files kept in a private office, in a locked file cabinet?
• Is there controlled access to hotline records that document those who accessed files?
• Are the files organized systematically for easy retrieval?
• Do the compliance hotline policies address all the key elements in the hotline function?
• Are policies governing the hotline function comprehensive and easily understandable?
• Do the policies address proper documenting and resolving hotline call issues?
• Are closed files kept separate from open cases?
• Are calls logged in acted upon promptly?

¹Information drawn from the Ultimate Hotline Manual: Tool Kit & Practical Guide for Establishing/Managing a Hotline Operation, 2005 (ISBN 0-9763344-0-2) by Richard P. Kusserow.

Reprinted from Journal of Health Care Compliance, Volume 15, Number 1, January-February 2013, pages 49-52, with permission from CCH and Aspen Publishers, Wolters Kluwer businesses. For permission to reprint, e-mail [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.