By Richard Kusserow, former HHS Inspector General and CEO of Compliance Resource Center. Reprinted from his Wolters Kluwer‘s Kusserow on Compliance Blog
Hotlines are a key element in any compliance program and have been called for by the U.S. Sentencing Commission, HHS Office of Inspector General (OIG), Sarbanes-Oxley Act, and HIPAA Privacy/Security Rules. Even the Supreme Court has made clear that hotlines are needed to raise an affirmative defense for unlawful harassment. The problem for many is trying to determine how and what an effective hotline function should look like. The following are some key elements of effective hotline operation:
- Establishing the hotline. One of the most tangible components of your compliance program is the reporting channels that employees can use without fear of retaliation, such as an employee hotline. Fortunately, a hotline is easy to establish. Many firms will operate your hotline for a fee, providing a toll-free line, 24 hours a day, seven days a week, 365 days per year, as well as live operators and other bells and whistles, depending on the needs of the organization. You may also establish a hotline internally with relative ease. However, simply turning on a toll free telephone does not mean that you have an effective hotline.
- Establish a mission and objectives for the hotline function. To ensure effectiveness of the hotline operation, you must start with clear objectives or mission for the hotline. To support this objective, organizations could establish a supporting policy and procedure documents, including those relating to ensuring anonymity and confidentiality.
- Establish a basic plan of operation. A hotline operation extends beyond the telephone number; it includes an objective, operating protocol and procedures pertaining to call volume, security measures, investigation, follow-up, and resolution. Operating protocol and procedures are the details of how the hotline will be operated including the hours of operation, report preparation, response times, etc. This information may be included in the hotline policies; however, it would be more appropriate for an operations manual.
- Develop and implement hotline related policies. A number of policy documents are needed to ensure the hotline will be able to function effectively. These documents will indicate a number of policies, including how the calls are answered, documented, and acted upon by those responsible for its operation. However, there are many other needed policies to ensure the efficient operation of the hotline. Some extend to the entire work force and include a focus on: (1) a duty to report, (2) anonymity/confidentiality, (3) non-retaliation/retribution, (4) relationship with legal counsel, human resource management, and financial management, (5) investigation and case management of hotline allegations/complaints, (6) reporting to external authorities, and (7) auditing and monitoring of the hotline. By implementing these policies in advance of receipt of serious allegations, providers can help ensure an effective outcome.
- Assess follow-up on call reports. Often overlooked with internal hotline reviews is an assessment of the steps following receipt of a call. If the primary objective of a hotline is to receive and resolve allegations of misconduct or other problems, then the Compliance Officer should carefully review this secondary process. Furthermore, it is our experience that the OIG looks very closely at the activities following receipt of a hotline call. Specifically, reviewers want to see tangible changes as the result of hotline calls such as disciplinary action or enactment of new policies or procedures. Thus, a key to effectiveness includes an assessment of whether the staff who investigate complaints and allegation have been properly trained.
- Ongoing auditing and monitoring requirements. The OIG calls for ongoing auditing and monitoring of both high-risk areas and the compliance program itself. This includes the hotline operation. As with all other operations, there needs to be ongoing monitoring of the hotline operation, as well as periodic auditing that reviews call volume and quality of calls received, logged, and acted upon. The Compliance Officer is normally responsible for ongoing monitoring of the program, but cannot conduct independent auditing under the compliance office. The independent review should address how the hotline is promoted (i.e. checking on posters, references in compliance training, how it is addressed in the organization’s code); training of staff handling hotline reports; and how well the allegations received were resolved. The results of these reviews should be referred to the oversight committees, including recommendations for improvement.