[Webinar On-Demand] Compliance Program Effectiveness: From Mystery and Mayhem to Mastery and Metrics

SUMMARY KEYWORDS

compliance program, regulatory landscape, risk management, effective compliance, policy review, training education, auditing monitoring, confidential reporting, investigations process, leadership support, risk assessment, subject matter expertise, metrics tracking, continuous improvement, healthcare compliance

SPEAKERS

Sara Low, Marti Arvin

Sara Low  00:12

Welcome everyone. Today’s live webinar is titled compliance program effectiveness from mystery and mayhem to mastery and metrics. This educational webinar is sponsored by Ntracts, the leading Contract Lifecycle Management solution for healthcare organizations across the country. And this live webinar will last 60 minutes, and at the conclusion, there’s going to be an opportunity for Q and A to submit your questions. Please use the Q and A feature at the bottom of your zoom screen and for important, important information about today’s webinar and to chat with either myself or with Marti, please use the chat feature at the bottom of the screen. Now I’d like to go ahead and begin our presentation, and I’ll start by introducing myself, and then I’ll pass it over to my co speaker, Marti Arvin, to introduce herself as well. Okay, so my name is Sara Lowe. I’m the Senior Vice President of strategy and operations at Ntracts. I am a certified healthcare professional, and I have about 20 years of leadership and operational experience in healthcare and technology solutions development, as well as in the compliance space. I’ve served in house working with a healthcare system throughout the management of their Corporate Integrity Agreement, in addition to continuing my career in software and CLM in the healthcare space, Marti, I’ll pass it over to you.

Marti Arvin  01:49

Thank you. Sara, good afternoon. My name is Marti Arvin. I’m the chief compliance and privacy officer for early health in Chattanooga, Tennessee. I’ve been in healthcare compliance more years than I care to admit. And you know, just when you think you’ve seen it all, they come up with something new for me. So it’s always a challenge to do this well, but I look forward to talking with you today, and hopefully we can give you some good takeaway information.

Sara Low  02:14

Thank you, Marti. And I’ll just get ready to kick us off and briefly introduce our conversation. But I think everybody is pretty well aware that the healthcare regulatory landscape continues to evolve, and maintaining compliance is crucial across all healthcare markets, so from small rural and community facilities all the way up to multi hospital systems and everything in between. So we’ll examine the essential role of the compliance programs in ensuring regulatory adherence and risk management and high standards of care, which, again, that’s really why we’re all here, right? So given the complex and changing regulations, and even the changing risks that we all face in healthcare and healthcare compliance, healthcare providers must continuously or continually evaluate and optimize their compliance strategies. So throughout this webinar, Marti and I will dive into the seven elements of an effective compliance program and also what the DOJ is looking for when healthcare organizations are asking us or asking you all to demonstrate that effectiveness. Marti, thank you for sharing your expertise with us today. You’re definitely the star of the show, and thank you AHLA for hosting this very important discussion. Before we begin, we’d like to take just a few moments to learn a little bit about, little bit more about who is in the audience today. So please refer to your webinar zoom interface to answer these two polling questions. The first one should be up on your screen, and it is, what is your role within your healthcare organization. Are you a general counsel, outside counsel? Are you a compliance executive, or do you have another leadership role? Are you a physician, or do you have another role within your organization? Okay, it looks like just about the 32% are GCS or general counsels, and we’re tied with compliance executives. So great. It’s always great good to know who it is in the audience that we’re speaking with. So thank you for responding to that first question, and we’ll move to the next polling question. And in this question, we’re asking you what you’d like to learn most about today. Are you interested in understanding the basics of an effective compliance program? Are you starting from zero? Are you interested in how to increase the efficiencies of your already existing compliance program? Are you interested. In how to manage the risk analysis process and also incorporate lessons learned. And lastly, are you most interested in how to incorporate continuous improvements into your compliance program? You okay, jump to the results. It looks like, well, we’ve got pretty close responses, but the majority are here to learn how to incorporate continuous improvements into their existing compliance program. And then we have a tie for the second and third responses in how to increase efficiencies of an existing compliance program and how to manage risk analysis process and incorporate lessons learned. Looked like the majority already have an understanding of the basics, but we do have some that are here that would like to understand those as well. Thank you again, everybody for responding to our polling questions, and we’ll just go ahead and jump right into our conversation today. So Marti, I’m going to go ahead and toss it over to you to kick us off, if you don’t mind.

Marti Arvin  06:11

Not at all, Sara. Thank you. I just want to point out to everyone I am an attorney, and wanted to be clear this is intended for educational purposes. You.

Sara Low  06:26

Oh, it it sounds like Marti may have frozen a little bit, and she’s back with us.

Marti Arvin  06:37

I apologize, am I can you hear me? Sara, yes, I apologize. I’m probably going to have to go off video because my internet connection being just a little bit wonky today. Just wanted to comment, this is presentations. Is not legal advice, and the opinions that expressed are those are our own, and not necessarily those of our organization. So we want to talk a bit about some just simple things about demonstrating an effective program, and then actually dive into the seven elements, as Sara mentioned, and talk about the DOJ approach, and just hopefully provide some practical tips that you might find helpful. So demonstrating an effective program, why is this such a challenge? I mean healthcare site compliance programs for going on almost 30 years now. And so, you know, why is it such a challenge? Well, it’s kind of like justice Potter says about pornography. I can’t really define an effective program, but I know it when I see it, and I think that’s how a lot of people feel about this, because we don’t have any construct. There aren’t any specific regulations that say if you’ve got a B, C and D, you’ve got an effective program, DOJ and OIG. Tell us if you’re following the seven elements, then you know that’s at least a good start to have an effective program. But one of the issues that makes it such a struggle is there isn’t that defined roadmap. What works for one organization doesn’t necessarily work for another. I’ve been a chief compliance or chief compliance and privacy officer at five different organizations, and my compliance oversight infrastructure was different in every one of them. And I think it’s a balance. It’s, you know, trying to find that sweet spot where you can utilize your compliance program to mitigate your risk, but you also have to keep in mind the strategy and the business needs of your organization, and so it is a challenge to try and find that and figure out what you can do to make your program effective without making bringing everything to a standstill, because you you know, are trying to achieve perfection, we’re not all the same size, so one size does not fit all, and all the components of an effective program don’t always live in compliance, and that’s one of The things I think folks need to really be cognizant of. You don’t have to have everything under your oversight as a compliance officer, Part of that’s going to depend on the size of the organization, and you may need to leverage colleagues and other business units to help support support the affected program. And again, we’ll talk a bit more about key elements of that as we go through the seven elements, but also your organizational structures are different. As I mentioned, I worked at UCLA health system, and there I had privacy, information security, hospital compliance, physician compliance and research billing compliance. And I worked at the University of Louisville, and I was the chief privacy officer for the university. So again, part of what you do is going to depend on that area of oversight and responsibility, and also depending on the nature of your organization, your compliance obligations may be different. If you don’t do research, then you obviously don’t have that as a component of your program. You may not have privacy under your purview. That may be a separate office with a separate leader handling that. You may not have information security. So you know thinking through the organization has some compliance obligations, but do you have those? And what is your responsibility for working with your colleagues who may have that oversight responsibility to help ensure that the entire organization is covered and your risk are properly mitigated. So with that, let’s start talking a bit about the program elements and standards and policies and procedures. And Sara, I apologize. Did you have anything that you wanted to add to that that first part,

Sara Low  10:39

not to the first part, but I do have a have a couple of points I wanted to discuss during the policy conversation. Okay,

Marti Arvin  10:46

perfect. So let’s dive right into policies and procedures. And some people look at and say standards, policies and procedures. But you know, what is the DOJ looking for when they publish their memo on what constitutes an effective compliance program. And so these are the some of the some of the questions they’ve indicated they would be asking the organization or evaluating for the organization. Are new policies designed? And how are new policies designed and implemented? Who decides what whether a new policy is warranted. Some organizations distinguish between policies and procedures in their separate documents. Some organizations have them as a single document. Some organizations have policies, procedures and protocols. So just thinking through what you need to cover for your program, and we’ll next couple slides get into that a bit more. Also, this is a critical factor, and I think Sara, you may have some input into this. Our policies and procedures routinely reviewed and updated. If you don’t have a good process for that, you can very quickly get behind and not be utilizing current and up to date policies.

Sara Low  12:06

Yeah, thank you, Marti. And I think you made a really good point just a few moments ago in talking about each individual organization is going to look different, and that means our policies are going to look different too, however. And you know, as I mentioned before, I’ve been in the healthcare technology space and compliance space for quite some time, so I’ve seen various different healthcare organizations across the gamut of all different sizes. But pretty common amongst them all are a need to have a succinct process for routing in in and reviewing their policies as they as they become drafted, so they’re at the initial drafting, also making sure that compliance has their eyes on all of the policies, and also that they’re accessible to the staff and the organization. So if there’s a centrally known location, whether that be through a shared drive or whether that be through a technology being utilized, it’s really important that, as you’re indicating that the policies, yes, they need to be well drafted and the content is very important, but they also need to be very accessible. So having that really well defined process and well understood process is going to be super important. And we’ve gotten the question quite a bit from our clients, even though we are a contract management solution and recommendations on how best they can manage their policies. But again, common amongst them all is they’re looking for ways to wrap a bow around their process for drafting, reviewing and then also revising and maintain, like maintaining those prior versions of their policies.

Marti Arvin  13:50

Yeah, and Sara, I think two key points that you mentioned, are they accessible to staff? You know, I think Sara and I would both say we can write good policies, and those policies will cover what your regulatory obligations are, but if that’s written in legal ease or written in terminology that most of your staff won’t be able to comprehend, they’re not going to follow your policy, because right and your policy so A, they have to be able to get to it, but B, they have to be able to understand it. And I said this in a conference that upset outside counsel that was also there, but I said I don’t think attorneys should draft policies. And what I mean to that, I don’t think I’m not saying they shouldn’t be involved in the policy process, but it’s my opinion they shouldn’t be the ones drafting the full policy, I believe it has to have significant input from the operations team, because they are going to be the ones that are actually going to implement the policy and help you stay in compliance with it. So they need to have input and be able to tell you, well, that’s great to draft it that way, but it’s not feasible in our organization, and if it’s. Not feasible. People are not going to follow the policy, and they’re going to find workarounds. So think about, you know, are they available, and are they well written so that your staff members are able to comprehend them for the most part? And then think about, who are the gatekeepers to identify and address misconduct if people don’t comply with your policies? So you know, the next two slides, I’m going to just quickly go through some areas that you know, this may be a no brainer to some of the people on the call, but do you have basic policies that cover the seven elements, what you’re doing as far as oversight, who your committees are, who your responsible parties are? Do you have policies on training and education and what you’re going to do around that. And you know, if your training is mandatory, because your policy say it’s mandatory, what are the consequences of people not completing training? What are your auditing and monitoring processes, and do you follow them? I came into an organization that had a very structured policy on sample selection and extrapolation and a number of other things that were part of their what they considered the routine process for conducting compliance reviews. People may feel differently about this, but from my perspective, I don’t use extrapolation unless there’s a significant issue, and that’s almost always after consulting with council to agree that we probably are going to need extrapolation in order to determine what overpayment may be necessary. But I wouldn’t use it as just a routine process for my not for cause compliance reviews. Are you have policy? I’m excluding screening for excluded individuals and doing background checks. And this, again, may be an area where compliance may or may not handle this. They ensure it gets done, but it’s possible that that actually is being done by human resources, and maybe the initial background check is done by them, and the ongoing exclusion checks are done by compliance, but leverage those other teams. If HR is already doing a background check for new employees, I don’t think compliance needs to duplicate that, but HR may not be doing those routine screenings, or they may be doing some of them, like licensure checks, and so compliance may be accountable for checking OIG and the SAM list and those types of things, but HR still is the one evaluating licensure and making sure that anybody who requires a license is do you have a hotline, helpline, an ability for people to reach out? Do you have a policy around that and how you handle that? Do you have a policy on how you handle investigations? I’ve always felt this is really important, because if you have a policy and a structure to follow that is going to help minimize the instances where you can say you aren’t independent and objective, because if you say, this is the process we follow, and we either always follow these eight steps, 10 steps, whatever your policy is, then you know, people can’t really question your process. There could be times in the investigation where you don’t need a step and you just need to document that. But again, do you have policies around all these items? Do you have policies around response and prevention. And those, to me, are kind of core compliance program policies, but you also have what I would call compliance level policies that are their subject, associated just specific subject. And some of these may be applicable to your program. Some of them may not. Again, it depends on the nature of your program, and so I just listed some here. The ones on the left hand side of the screen, in my opinion, tend to be pretty common in compliance programs, but the ones on the right hand of the screen are maybe not applicable. Applicable because Stark and anti kickback may be something that legal really handles. Teaching position documentation may not be applicable to you if you don’t have residency programs HIPAA, privacy and security, again, may or may not be under the purview of the compliance officer, and again, you may not have research. So those are policies that you might have in your program. And this is not intended, by any stretch, to be all inclusive, but rather just examples. And then, Sara, you mentioned, sorry, no, go ahead. Go ahead. You mentioned something a moment ago, and that I also think is important. As a compliance professional, I think you need to make sure that people in your organization understand instances where you may need to have input into policies. So the policies I’ve been talking about so far, I would view as policies that are, quote, owned by compliance. Some other policies may or may not be owned by compliance, but I think it’s really. Important that compliance has some input into those. And again, the ones on the screen are just examples of that by your financial assistance policy does, does it meet the OIG guidance and you know your obligations under ensuring that you know you’re appropriately evaluating folks for charity care or financial assistance. How are you handling credit balances? Is that appropriate? And, you know, I heard organizations that would say, Well, if the Credit Balance is less than $10 then then we just write that off of the account and kind of put that into the general fund. Well, you may have state achievement laws that require that you turn that over to the state. And so, you know, people need to be cognizant if they’re writing a policy that says we’ll just keep it if it’s less than $10 that may create compliance risk for you. That again, somebody needs to look at that. How are you handling write offs? Who can do write offs? What are the levels of write offs that different people in different positions can do. Sometimes med staff bylaws are things that compliance might have helpful input for. Anything to add to that. Sara,

Sara Low  21:10

just a couple of a couple of things that popped up when as you were speaking on the past couple of slides, and one when you mentioned it was probably a no brainer about the policies that address the seven elements. And yeah, I think that probably everybody on this call understands what the policies should be. But as you’ve been in multiple organizations and in various stages of their compliance maturity, many organizations are frankly focused mostly on the bottom line, and how they can make ends meet to take care of their patients. So compliance isn’t always the front of mind, as much as we all wish that it were, or like to think that it would be. So I think it’s really important that, as you all are working in your compliance programs, is that there is at least an initiative to get your arms around what policies actually exist, like doing an inventory of what exists, whether it falls underneath the eye of compliance, or whether it falls underneath another department. So, you know, I, I’m in the technology world, so I immediately go to technology is, if it’s a folder on a shared drive or an intranet that’s fine, or a more mature technology solution that that is specifically designed for healthcare compliance, that there be some centralized locations, or move towards that so that you can effectively inventory all of your policies related to compliance and otherwise, and also where there may need To be revisions of them.

Marti Arvin  22:41

Yeah, and you brought to mind another point, Sara, that that you need to be cognizant of to help ensure the effectiveness of your program. Make sure that people ask before they draft a new policy, because they’re, you know, department a could have created a policy on this topic, and then department B goes off and creates another policy that’s in conflict with the first one, and which one supersedes. I was actually in an organization where a department at the department level drafted a record retention policy and it was inconsistent with the health system record retention policy and the campus record retention policy, it created an actual, actually a shorter record retention period than those two policies which would have superseded it. And so, you know, if they actually end up following the policy, and it got us in trouble because they deleted documents earlier than they should have been, and we had a regulatory oversight body come in, and we needed access to the records. Yeah, we’re able to scramble and pull some things together, but that’s just an instance of making sure people are aware. Is there a broader system level policy and making sure that whatever you’re drafting aligns with that great point. So let’s switch now to program oversight, and again, some of the DOJ questions, is the program well designed? And I think what you’re looking for here is, what are our compliance obligations, and have we designed a program to help mitigate risk around those and so you know, when you think about is it well designed? What I would design for earlier health may be very different than what Sara would design for Ntracts, because our company structures are different, our legal obligations are different, our workforce is different, but that’s what you have to keep in mind on this. And part of the piece, in my opinion, of well designed, goes to how are you tracking what you’re doing as part of your program? Yeah, you know the old adage of what gets measured gets done, I think, is very true. And if you haven’t created metrics around. Any of these items, that it’s going to be difficult to show any level of improvement or any changes to it. So I wonder

Sara Low  25:09

if I might ask you a question, Marti, if it’s okay, since we’re talking about metrics, and I agree, meaningful metrics are what need to be tracked. But as you’ve been in various organizations, what type of KPIs would you suggest to the audience that be their top priority, key performance indicators as relates to how well the program is designed and how it’s applied and understood?

Marti Arvin  25:36

Well, I’ll share with you an example in one of my prior organizations, I was fortunate enough to have a database manager on my team, so we actually created a database that tracked all of the activities that we did in the Compliance Office. And so a lot of organizations are a lot of what I see is people track how many hotline calls they get, and they track their investigations, but they don’t always track things across the other elements of the seven elements, and our activities tracking database actually tracked it based on the seven elements. And I say tracked every activity. You know, if we got a phone call from somebody, and I can answer it off the top of my head that didn’t go into our tracking database, but if I had to spend an hour researching something, that would be and so after the end of a couple of years, one of the trends we noticed is our investigations were going up. And the CEO asked me, he said, Marti, shouldn’t we be worried about this? We’re, you know, we’re investigations are climbing. And my response was, I’m not worried about it, because if you look, we’ve also shown that we’ve increased our auditing and monitoring and we’ve increased our training and education. So I firmly believe it’s because people are more aware of what compliance is and when they need to report a compliance concern, and so we’re seeing more investigations as a result. And I told them, I believe what’s going to happen is we’re going to we’re going to have a period of increase, and then it’s going to start to drop off, and then we’re going to kind of find our normal. I said, we’ll always have investigations, but we’re going to find our normal. And that’s essentially what happened. We started to see investigations decrease after the second, third year of the program, because, again, we were getting more compliance. We would also track whether we had upticks in questions after we published some sort of compliance education to see if people were asking us more questions around that topic. And so I think if you have DOJ or OIG come in and they’re looking at your program and say, Well, how do you know anything’s working? To me, those would have been two instances to be able to demonstrate that it’s working. You know, I also look to say how many of your hotline calls are anonymous, or how many queries to compliance are anonymous versus not anonymous, I firmly believe that’s an indicator of people’s fear of retaliation. If people are afraid of being retaliated against, then they’re probably not going to raise compliance concerns, or they’re going to want to raise them anonymously so nobody knows it was them. Your hotline calls are dropping in from the anonymous perspective, but you’re seeing an increase in uptick in queries to the Compliance Office or reports to the compliance office. I actually think that’s a good thing, and that’s a good story to tell. So I ideally, I think you should be tracking everything you’re doing across the seven elements, and then being able to produce graphs and metrics on that. And you know, another thing I did at a different organization is I tracked the aging of the compliance issues we were addressing, and we did a project that resulted in a huge uptick of issues, and I, by doing the aging, I was able to reach out to leadership and ask for more resources, because I said it’s taking us longer to address issues than it should, because we don’t have enough resources to be able to actually renew them. And that goes back to is it adequately resourced? Is a program applied in earnest, in good faith? I can’t I don’t know if I’ve ever met a compliance officer that is said, I have all the resources I want, right but, but I can say I I’ve had programs where I feel like I was what I called right resourced. And, you know, I think it’s also important to know that resources don’t always mean people. Resources can mean technology solutions, and I’ve certainly, and I’m a strong advocate of utilizing technology solutions that can allow your team members to fully use their level of expertise and not have them doing, you know, work that’s more menial, that isn’t really utilizing their expertise, because that’s not really what. You paying them for

Sara Low  30:00

No, no, absolutely not. I love the point that you make about understanding the volume, not just the volume of your hotline reports, but also whether or not the volume of Anonymous is high versus not. I think that’s a really interesting, interesting point.

Marti Arvin  30:20

And you know, if you look at these things like oversight, you know, what’s your compliance committee structure look like? Who’s on the committee, who’s attending the meetings? I also think that is going to be extremely helpful if you actually track that, and you track, you know, if you have a Compliance Committee that has 15 members and only five show up at every meeting. I don’t think that’s a good story to tell. I think you can demonstrate a more effective program if you can demonstrate that you’ve got people who are there and engaged and interested in the discussion and conversation. I will tell you at one of my prior organizations, we created what we call the compliance oversight board, and we only met four times a year, but we started finding that every time the meeting was coming up, we’d have everybody canceling on us. So instead of having 10 people, we would have five. Even the chair of the committee his his team was scheduling over it, and so I mentioned it to him, he said, Well, that can’t happen. So at the next meeting, he said he was the highest leader of the organization, and said to everybody else, I’m going to be here. I expect you to be here. There might be rare occasions where you can’t but you know, I expect it to be rare. We only do this four times a year. It’s not too much for you to commit to and here, and we had incredibly good attendance after that. But that goes back to that tone at the top of oversight, right? Talk about, you know, you need to have people who are going to stand by the compliance officer. And you know, I am, have been very fortunate to always feel like with my leadership, that if I told somebody that I, you know, I didn’t think they should be doing something or they needed to change something. You know, some leaders, some individuals, you know, they’re going to turn to the leader and say, Well, what’s Marti doing? But I always felt very comfortable that the leader would support me and say, you know, what she’s doing is trying to protect the organization and help us stay in compliance and not kind of listen to that drama sometimes that you can get into. I think we need to pick up our pace just a little bit, maybe to make sure we stay on time and hopefully lose some time for questions at the end and again, some of the key factors. DOJ is asking, is it well designed to prevent misconduct, and so not only prevent though, but to detect it as well, and leadership supporting the program that goes back to your Compliance Committee. If you have your senior leaders on your Compliance Committee, and they’re never attending the meetings, that is not a good story to tell if a regulator comes in. And so I my recommendation, and it’s something I’ve always advocated for, is everything in your program should tie back to the seven elements. So the agenda for my Compliance Committee meetings follows seven elements, obviously. As a result, the minutes follow the seven elements. The activities tracking database I’ve created follow the seven elements, and so everything was structured around the seven elements. And while I’ve seen programs where, you know, they clearly have the seven elements, they don’t structure everything around it. And again, it’s my opinion that it’s easier for you to present that to outside parties who may be questioning your program, if you can go back and say, Here’s our agenda, seven elements, here’s our minutes, seven elements, here’s our tracking database, seven elements. And so it’s very clear you’ve structured your program around those elements and have a strong interest in ensuring that you’re mitigating risk associated to those seven elements. And you know, another key factor is, does the organization understand the risk? Because you know, you can’t really structure training and education that’s appropriate and effective for your program if you don’t know what the risks are for your organization. And that’s going to tie into both location of your operations, your industry sector, what your regulatory landscape is, sometimes competition is, and so you know that is a key factor that I suspect everybody on the call recognizes, but tying that back in and thinking about your seven elements. What are you doing around auditing and monitoring? What are you doing around training, education? What additional steps are you taking, if necessary for response and prevention?

Sara Low  34:54

I think if you don’t mind, we’ve talked a little bit about. Clients being more front of mind than it used to be. And I think that that is true. But when you’re talking about, does the organization understand its risks? How do you help support your organization? Or how have you helped support your organization in understanding what their risks are and the severity of the risks that they’re that they’re facing. In other words, keeping compliance top of mind.

Marti Arvin  35:28

Yeah, one of the things I’ve done in the past, and you know, it’s quite effective for the particular organization, is, you know, well, I think all of us do risk assessments. I suspect many of us go, you know, we talk to our senior leaders. What keeps you up at night, we review industry activity to see what OAG DOJ is looking at. But the other piece is trying to help the organization understand it. I created a work plan, and I took the work plan and when I went to present my budget, and I was asking for some additional positions in the budget. And what I did was I presented my work plan to the leadership and said, Here’s what I think we need to be addressing in the next year based on the risk assessment the industry landscape. And you know, so these are the risks that I’ve come up with from that perspective, but everything I put in red I will not be able to accomplish or address without additional resources. I said, you know, you really own risk, and if you tell me, Marti, we’re not giving you anybody to address, research, billing compliance, then that tells me you don’t think that’s a risk that we need to address, because I don’t have subject matter expertise on my team to be able to do that without the additional resources, I cannot do anything associated to that risk. And if you decide that, you know you’re not going to give me the additional resources, the message I’m hearing is you don’t believe that’s a risk that we need to be addressing, and I’m perfectly fine with that, because you’re the leaders that get to determine risk tolerance and where we need to focus our resources, but understand nothing’s going to happen with this. And I think that helped drive home to them that they were the Accountable party for risk to the organization, and they needed to think about are these risks that we think are necessary for us to address in our landscape? And I think that’s very, very critical that once professionals try to make it clear to their leadership, in my opinion, the leadership owns risk. They get to decide the risk tolerance of the organization. I do not decide that. I probably provide them information to make an informed decision, and if they want to take a very high risk process rather than taking the lower risk, then, you know, I’m comfortable, as long as I think they made an informed decision and they had all the information they needed. But I think that’s really important for compliance professionals to step back and say, I don’t own this risk. I’m the party that helps mitigate it. I’m the party that helps inform our leadership of it. But I don’t own leadership. Can decide whether we do something about it or not. That’s

Sara Low  38:18

those are great points. You provide the information, you gather the data translated into an understandable way for your leadership team, and then arm them with or equip them with information to make the call. So I think those are great points. Thank you. Yeah,

Marti Arvin  38:34

and I think we talked a bit already about the commitment of leaders and management, but one of the other things that you’re seeing more and more frequently is looking to say, you know, your ultimate governing body. Do you have expertise in compliance on the governing body? And particularly for some larger organizations, I’m seeing it more and more frequently that they actually have a compliance professional on the board, and that’s part of their makeup. And you know, the thought process is that person probably has a broader insight into what some of the risks are, and can help the rest of the board members know what questions to ask and help explain some of the issues to them. So that may be another thing you want to consider for your effective program is is trying to support and encourage that expertise on the board. I know we recently added someone who is an internal auditor to our board quality and Compliance Committee, and he brings some really great insight and expertise to us. The adequate staffing, I think we’ve touched on this, but one of the areas that DOJ looks for is, not only do you have enough people, but do you have enough people with the right subject matter expertise? And so it’s not just having enough, you know, butts in the seat, so to speak, but if you don’t have people with the right subject matter expertise, like in my prior example, for research, billing compliance. Is then it, you know, it’s still not sufficient in order to address the risk of the organization just compliance have access to data. This is becoming, you know, over the past probably five to 10 years, really increased focus of DOJ and OIG, because they know they can do a ton of data mining, and their expectation is we’re doing that same kind of data mining as part of our compliance program. So if you’re not doing it today, you probably want to consider adding that to your effective program. And if it’s outsourced, then who oversees this? If you’re outsourcing a component of your program, in some organizations, I’ve seen outsource training and education, they might outsource auditing and monitoring, but you can’t just turn it over to the third party vendor and say, Okay, we’re done. We’re good. Somebody as part of the organization needs to oversee it and ensure that what they’re doing is adequate for your organization and your compliance infrastructure, training and education. You know, again, DOJ is looking at this, is it risk based? Is it effective based on the content and form of delivery? Is senior management actually following it? Because to me, that is one of the most critical things. If employees see that senior management aren’t doing all the things we’re asking them to do, then you’re dead in the water. Because you know, if you know the CEO is not following the rules, if the CFO is not following the rules, if the CMO is not following the rules, why do I have to follow the rules? And where can employee seek guidance? Part of that through the policies and procedures we’ve talked about. Part of that is the hotline, helpline. Part of that is just things you may have on your website. And you know, when you think about effective training, I’ve said this publicly before, and I will repeat myself, I don’t think annual compliance training does a lot to move the needle as far as people understanding what their obligations are in their compliance. I’m not paying for eliminating it, but I think, you know, I want to focus it in a little more fine tune it for issues you’ve been dealing with, and I’ve been reading up on some things, and we’ve started doing this more of what we call micro learning. So we send out an e tip every two weeks that is on a specific topic. It’s very short, it’s very easy for the end user to read, and we notice that we get questions from our workforce on that topic after we send it out, and we’ll repeat them. So it, you know, you might see one of them twice a year, so it’s not too frequent, and it’s not too much, but it keeps compliance in front of them on a very regular and routine basis. And I’ve done this at my current organization, and I did it at a past organization, and I’ve had very positive response from the workforce. They like it. We try to make it a little bit fun, but also get the point across. I think one of the caveats to that, though, is you have to be careful that you can fully encompass whatever topic you pick in that short little snippet, because what you don’t want to have is, you know, have five components of something that has eight components. And because you want to keep it short, you leave the other three out, which may list mislead people or give them, potentially misinformation.

Sara Low  43:28

I have so much I want to talk about here with training and education, but I also want to get to there’s a question relevant to what you you’ve been talking about, and I think you may have just answered it, but I will mention how important and you were getting, getting you were talking about what you what you’ve implemented, but frequent and reoccurring training for, you know, new employees, existing employees, and also adjusting based off of what’s happening in your organization, making it relevant for for them to understand the compliance environment, I Think, is huge. So kudos to you for doing that. But jumping to Gwyneth had a question, and again, I think you’ve answered this somewhat. She says, I find it difficult to measure an effectiveness of an annual compliance training. Any suggestions,

Marti Arvin  44:16

I’m not going to have a great answer for you, because I also think that’s a little bit difficult, but I’ve always tried to advocate for any any training module that you’re doing, like computer based training, try to have some Q and A to it. I do advocate having a short quiz at the end that helps you demonstrate that people understood the material. You know. You don’t want it to be a 50 question test, but you might have, if you’ve got say two modules for your annual compliance training, maybe you have five questions at the end of each and and track that. And, you know, have a minimum score that people have to pass to be able to say they, quote, passed the training. I. I think that’s helpful to demonstrate to regulators that you are testing the effectiveness. Some organizations will do surveys after it and try to capture the retention. I have always found that a bit challenging to do in the organizations I’ve been in. I’m not saying you shouldn’t do it, but I found it a little more resource intensive than what I could accomplish in the organizations I was at. If you’ve got a methodology to do surveys afterwards, I think that’s helpful. I think the concern with having a test immediately after, they might have retained the material for that 10 minutes, but obviously what you clearly want is a month later, you’d like for them to know the material. One advantage I found with the micro learning that comes out from me is people retain who the compliance officer is. I mean, again, there might be people who don’t know my name, but if you said, Do you know who your compliance officer is, or do you know how to reach them at my prior organization, when we post that question, many, many of them said, you know, I don’t remember her name, but she sends out that E tip every two weeks. So they, they said, I know how to find out who it is. And so for me, I think it’s, you know, it’s if they know how to find out who I am, that’s good enough. If they know my name, great. But you know, I think as long as they know how to find me or find my team, that’s what’s important.

Sara Low  46:25

Do a quick time check Marti we have, it’s 246 so we have just a few minutes before we were targeting getting to questions. So

Marti Arvin  46:33

I’ll go through the rest of this. You know, thinking about who you’re training, I think we all do this, what tools do you use? Many people use computer based training. I just caution on that. You know, think about adult learning and how adults retain information. They see it, they hear it, they interact with it. I think just having somebody sit in front of a computer screen and click through slide after slide after slide, I just encourage you to think about how that process functions, if you can intersperse it with questions that may or may not be tracked that also helps to reinforce the training material that you’re doing. We already talked a bit about how you evaluate effectiveness, and is there annual training? Again, I think it’s something that’s expected by regulators, and I think it’s something you should do, but doing the same thing over and over and over every year after year, year year. I’ve seen that in organizations. I don’t believe it’s effective, but others may, you know, disagree with me on that, and I just think, think about, what are the five things we’ve dealt with over the past year, and try to focus that annual training around those things that you know people are struggling with, auditing and monitoring. Again, we talked about your risk assessments and identifying your risk are resources allocated to address these risks? Again, that goes back to the prior question on DOJ is, do you have subject matter expertise? Do you have the right people? Are you assessing risk over time? So if you identified an issue in your program three years ago and put in place corrective action, have you gone back to ensure the corrective action is still working and that you don’t still have that same issue? Have your risk has your risk profile changed over time? So you probably shouldn’t be auditing the same thing over and over again year after year. Sometimes you’re going to repeat things, but they’re probably, I mean, I’ve never been anywhere, but I haven’t had new things on my work plan and old things drop off my work plan. And how are you incorporating the lessons learned from your risk analysis and thinking about, how do you ensure that you know if you figured something out that was not correct, or your risk analysis was an issue, what did you do to correct that? And I apologize, I know we we’re running a bit tight on time, so I’m going a little bit quickly through this. I think some other stuff. You know, people on the call are going to be familiar with, but thinking about your auditing and monitoring, is it continuous improvement, product process at testing and review, and who’s doing it? I mean, is it internal audit? Is it compliance auditing? Is it a combination? What controls are you testing for? Again, this is a piece that for your what I call not for cause reviews. In other words, you’re not sure if you have a problem, but you think it’s an area you should be testing. I encourage you to have a structure in place that explains why you’re looking at that issue. What your universe you’re going to assess is how you’re going to get your sample size and what controls you’re actually testing for. If you put that kind of structure in place, it will help minimize scope creep, and it also sets up the template then to do your findings report, because all you have to add to that then is what your findings were from that review process. And again, the. Keep out your evolving updates to your risk assessment and maybe changing your policies and procedures or adding policies and procedures, and this also helps to encourage the culture of compliance. I think I’ve already addressed these in a prior slide and prior conversation, but again, things to think about as you create your work plan, confidential reporting and investigations. Again, we all know this is critical. You can’t have people concerned about retaliation and expect them to report things to you. So making sure you have an effective system that allows people to report, allows people to report in a way that you know they understand it’s going to be blame free that they made the report. And if you do find somebody retaliating, gives someone making sure that you address that you also want to think about. Are your metrics on responsiveness? If you had somebody report something six months ago and you put it in your tracking system and nothing has been done on it for six months, that’s not a good story to tell. You want to have a good story to tell when regulators come in and help them understand sometimes investigations take time and but you want to be able to say this has been open for six months because and give them all the rationale why it’s taken that long to try to get this issue addressed. If you don’t have that good story, then it’s going to appear that you don’t care. And that may tie back to resources. You have to have the resources to address the concerns as well. And do you have those metrics in place for the reporting method and the investigations that you’ve been monitoring again? DOJ questions around this are investigations scoped correctly? Do you have you fully and comprehensively identified what the issues are? We’ve talked about the qualified personnel. Have you done an appropriate root cause analysis of why did this occur? Do we know, did somebody intentionally screw up, or did somebody put a computer system in place and program something inaccurately? What is that and another piece that I think is also really important to try to be able to demonstrate independence and empowerment, that that you have an independent investigation, and the people doing it are empowered to actually get the data they need and do the assessment they need, regardless of who’s involved in it. So if you’ve got your your best physician involved, those people need to feel empowered to be able to go in and ask questions, and the physician needs to understand, he or she’s expected to make the time and answer the questions. And then the communications channels for that, who do you dress it with? Is this a report that’s going to go to the CEO or the board? Only is this a report that’s going to go to the department? Is it going to go to the individual, if you’re, you know, investigating someone individually, what? What are they going to learn about what the outcome was? And you know, again, your policy environment around this, I would strongly encourage you to have an investigations policy that outlines your steps that you take, that will help support that you did it in an independent and objective way, and then thinking about risk management. When you think about disciplinary action, who’s involved, it’s always going to involve HR. In my opinion, compliance should never be imposing discipline, but compliance may very routinely be recommending the appropriate discipline, and I think compliance needs to be involved in ensuring that discipline is consistent, regardless of the workforce member involved. And you know, are you doing anything to incentivize compliance? You know, we hear so much about disciplinary action for non compliance, what are you doing to help ensure that people are incentivized to be compliant? And then I talked a bit about this already. Who participates? Are employees aware of disciplinary action. You know, you’re not going to go out and say, well, we gave Sara a written warning, but you can certainly go out and say, we had a situation where this occurred and and the employee got this disciplinary measure. You don’t need to say who the employee was. You just put the facts out there what the situation was and help them understand what disciplinary measures were taken. Now the one caveat to this, if you’re a smaller organization, you probably have to handle that a little bit more sensitively than a larger organization, because if it’s a smaller organization, everybody’s going to know who the person is, and so you want to be COVID of not making that person feel like they’re somehow singled out. And then responsive prevention, we’ve talked about several of these things as part of the other processes. But making sure you’re doing a root cause analysis, making sure you’re addressing anything that was a prior weakness that had not gotten fixed, reviewing your payment systems, reviewing your vendor management, any prior indicators that something was going to be a could be a problem, and what your remediation and accountability steps are, and I know I went through all that pretty quickly, but I know we’re gonna have a few minutes left for questions. I just want to go through this is just effective compliance per Marti Arvin, and so you can take it with whatever grain of salt you wish. Always try to do what’s required, or actually always do what’s required under the law. Obviously we can’t do anything that’s illegal. Do the right thing as much as possible, because what’s what you can do under the law may not always be what you feel as an organization is the right thing to do. Fix it when the organization identifies they haven’t done the right thing, but in place that corrective action so it won’t happen again. Educate constituents about the right thing through training and policies and procedures, create that environment where people feel free to speak up and ask questions, understand your organizational risk and create metrics to demonstrate that all of this is being done. I think that is a critical factor. It’s very easy for your leadership to look at graphs and bars and understand what you’ve been doing. And so to the extent you’re you can measure that and produce those metrics and do comparisons over time, it’s going to be one way to demonstrate that you have an effective program, because you’ll see a reduction, reduction in investigations. You might see it increasing questions being posed, and all of those are ways to tell your good story.

Sara Low  56:47

Beautiful. Thank you, Marti. We do have a couple of questions that have come in. I don’t know that we’ll get to both of them, but one that came in twice was any thoughts on outsourcing investigations?

Marti Arvin  57:01

I think any component of your program could be outsourced. But I go back to my comment earlier, you know, it can’t just be turn it over to them and, you know, say, have at it, and you’re done. It really is going to need to be making sure you’ve got people out there the external parties has the subject matter expertise you need that they’re doing it in a manner that’s consistent with your organization’s culture. Because if that’s not the case, then when they come back to present their findings, that could be a bit challenging in your organization accepting those findings. So I think finding the right fit and the right party to do it. I don’t have any objection to outsourcing it. I think one of the key factors you’ve always learned, at least my experience, has been, if you outsource it, it’s going to be, actually, probably more expensive than doing it internally. But there also may be specific issues that you outsource that activity because you don’t have the subject matter expertise. And you know, you don’t need ongoing subject matter expertise. You just need it for this one project. And I think that’s a really key area where outsourcing is appropriate. I

Sara Low  58:12

think you talked on, you touched on subject matter expertise. And another question came in that probably might be common amongst many, is, what can an organization do if there is not compliance expertise within their BOD, within their board of directors?

Marti Arvin  58:28

Well, that, I think, goes back to potential training and education, and how receptive are they to helping ensure they understand that, and you know, part of it may be training and educating them on why, identifying someone with that expertise could be extremely helpful for them. And so I think it’s, you know, educating them, if you if you can’t find anybody to sit on the board with that expertise, educating them on some of that. I mean, it depends on what your board’s like. I’ve got board members that are not in healthcare and haven’t been in healthcare, and so understanding healthcare compliance is a bit challenging for them, and that’s why I’m thankful we actually now. I mean, we’ve always had people with some expertise, but now we’ve got that internal audit person who worked with compliance in their organization, and so we have an increased level of expertise. So, you know, think about that. Maybe think about having an external party come in and do that training and education for your board. Hate to say it, but we all know the message is sometimes better received when it’s an external totally agree, totally agree. The same thing you are. We

Sara Low  59:40

have one more minute and one more question. Just to see if we can get to and we’ve been given permission to go over by a couple of minutes from AHLA, thank you. Last question, do you use a metric to evidence that the program prevents and detects misconduct?

Marti Arvin  59:58

Well, the way. I would utilize that is I would go back to two components of the program. One is auditing and monitoring. So remember, you’re not always auditing because there’s been a problem. You may have a new program that you’re implementing that you implemented a year ago, so you might want to go back in and assess that program, just to make sure everything is being done the way it should be, and that may be an instance where you detect, oh, no, we set this up wrong. We program the EMR wrong, and so it’s sending out bills and claims that aren’t accurate for what we’re actually doing. So that would be a way that you detected the wrongdoing, through part of your standard program, and then another way is monitoring and tracking those inquiries and questions and concerns that are being brought to you, because the workforce is detecting that there maybe is a problem. And so it’s not the compliance professionals who are doing it, but because you’ve done the training and education of your workforce, they’re now bringing issues forward. And so, you know, the Preventing also is just the fact that they’re asking the questions, I would argue, is demonstrating that we are detecting and preventing because people want to know how to do the right thing. And you know, it may just be giving them the comfort that what they are doing is, in fact, doing it right and mitigating our risk appropriately. So I would look to those two things as key metrics for how you’re detecting and preventing and so, and I would also argue that your investigations processes could be that as well, where you know you’re investigating an issue, you maybe did a routine not for cause review, it opened that big old can of worms, and now you’re investigating that, and, you know, going in and fixing it. So again, I don’t think you have to create a whole set separate set of metrics. As long as your metrics are monitoring and tracking what you’re doing across the seven elements, I think you can have a good story to tell if you can demonstrate some of the things I just mentioned.

Sara Low  1:02:12

Thank you, Marti, that is all the questions that we had come in. So I think we’ve got them all answered. Thank you again for joining me today and for sharing your breadth of expertise on this topic, this has been very helpful. This educational webinar has been sponsored by Ntracts, the leading Contract Lifecycle Management solution for healthcare organizations across the country. The continuing education code has been entered into the chat box, so please take this time to write down the code, and that concludes today’s program. Thank you everyone, and thank you HLA,

Marti Arvin  1:02:47

and thanks everyone. I hope you found this helpful. If anybody’s interested in reaching out to me afterwards, you have my contact information there, I’m always happy to to spend a few minutes see if I can help support something or maybe learn something new from someone else about what they do.

1:03:04

Thank you. Applause.