Lessons Learned – How compliance officers can better protect their organizations (Part 3)


This third installment in a series of bulletins discusses some of the challenges compliance officers face and offers best practices to show how health care providers and their compliance officers can work cooperatively to establish and maintain effective compliance programs, avoiding False Claims Act whistleblower lawsuits.

In the first installment, we discussed some of the challenges compliance officers face and highlighted challenges brought to light by the Halifax case. In the second installment, we introduced the first two best practices of an effective compliance program.

Developing Open Lines of Communication

Open communication is essential to maintaining an effective compliance program. The purpose of developing open communication is to increase an organization's ability to identify and respond to compliance problems itself rather than having them discovered by the government or a whistleblower. Generally, open communication is a product of organizational culture and internal mechanisms for reporting instances of potential fraud and abuse. When assessing whether an organization has open lines of communication that not only permit, but facilitate and encourage, individuals to communicate potential compliance issues internally, the organization should consider the following factors:

  • Has the organization fostered an organizational culture that encourages open communication, without fear of retaliation? What is the perception of employees about this? We often see that while an organization says they have a culture of non-retaliation, that is not what employees believe, and of course, that is what matters most – the perception of the employees who you want to bring these compliance issues to you. Consider doing an anonymous survey, such as through Survey Monkey or some other third-party survey company to gauge the perception of employees and solicit reasons behind the perception.
  • Has the organization established an anonymous hotline or other similar mechanism so that staff, contractors, patients, visitors, and medical and clinical staff members can report potential compliance issues without being identified? If the cost of a hotline operated by a third-party is not in your budget, consider setting up an un-manned telephone number that goes straight to voicemail and does not have Caller ID on it. This is not a perfect substitute for a third-party hotline since callers cannot anonymously call back for a status update if they choose not to leave their contact information, but it is better than having no anonymous way of reporting concerns. Another thing to consider is whose voice is on the voicemail message. Callers may not leave messages if they recognize the voice of the person on the voicemail message as they assume that this means their report will not be anonymous since they know the person on the other end. Consider having an outside person record the voicemail message that hotline callers will hear.
  • How well is the hotline publicized? How many and what types of calls are received? Are calls logged and tracked (to identify possible patterns)? Is the caller informed of the organization’s actions in response to a report? The hotline number should be available on the organization’s internal Intranet page. It should also be included in the organization’s code of conduct, posted on employee bulletin boards, and included in every communication the compliance department puts out. Make it as easy as possible to find the hotline number. Many health care providers have even begun to print the hotline number on the back of each employee’s ID badge so that the number is with them at all times. If a concerned individual cannot find the hotline number, they may instead search for “how to report health care fraud” on their

    The government makes it very easy to report suspected fraud. You need to make it even easier! If your compliance hotline is not getting many calls, then your hotline is probably not well-publicized. A well-publicized hotline will get frequent calls, even if many are not the compliance reports for which the hotline is intended. For example, we often see HIPAA and human resources complaints come in on the compliance hotline, but that is okay – at least it shows that your employees know how to report concerns, so when they do have a true compliance concern, they will be more likely to use your hotline then as well. Make sure you track the “non-compliance” calls also and forward them to the proper person or department for follow-up. If you use a third-party hotline or if the caller reveals his or her identity, you should provide a mechanism for callers to call back for a status update. Whistleblowers often feel that their reports were ignored because they never got any feedback on their reported concerns. To the extent possible, without revealing confidential information, develop a mechanism and make it your practice to communicate information to the person that made the report so that person feels listened to and heard.

  • Are all instances of potential fraud and abuse investigated? Regardless of the apparent merits of the report, an investigation should be conducted. This is important both for the reasons discussed above regarding the reporter feeling listened to, but also because sometimes even though the allegations in a report might have no merit, the investigation may lead to the discovery of a different, valid compliance issue. Log in all reports, summarize the investigation findings, and record all conclusions and corrective or follow-up actions taken.
  • Are the results of internal investigations shared with the organization’s governing body and relevant departments on a regular basis? Is your disclosure log shared with your Board and Compliance Committee? If a report includes issues related to a particular department, are those concerns shared with the department?
  • Is the governing body actively engaged in pursuing appropriate remedies to institutional or recurring problems? Does the Board seek outside assistance, where necessary, to understand and address compliance issues? How interactive are the Board meetings where compliance reports are presented?
  • Does the organization utilize alternative communication methods, such as a periodic newsletter or a compliance intranet website? If your organization has a periodic newsletter (print or electronic), does the compliance department have the opportunity to submit an article for each one?

Appropriate Training and Education

Organizations that fail to adequately train and educate their staff risk liability for violating health care fraud and abuse laws. An example of this liability can be found in the recent settlement in the Shands Healthcare whistleblower lawsuit.1 In that case, a whistleblower alleged that the hospital billed Medicare improperly and submitted false claims, in part, because hospital staff, including case managers and utilization review personnel, did not know or understand the applicable Medicare rules to do their jobs properly.2 Proper job training to ensure employees understand and appreciate the requirements of their positions is essential to having a compliant organization.

The purpose of conducting a training and education program is to ensure that each employee, contractor and any other individual that functions on behalf of the organization is fully capable of executing his or her role in compliance with applicable rules, regulations, and standards. In reviewing their training and education programs, organizations should consider the following factors:

  • Does the organization provide adequate training to employees and contract staff to enable them to competently perform their jobs? How does the organization ensure that employees and contractors know how to do their jobs before they are left to function independently? Are new employees and employees in new positions mentored or otherwise matched with someone who can provide assistance with questions?
  • Does the organization provide qualified trainers to conduct annual compliance training for its staff, including both general and specific training pertinent to the staff's responsibilities? This training should not only describe the applicable federal and state laws that health care providers must comply with, but should also discuss the organization’s compliance program, including efforts to ensure compliance, commitment to compliance, policy of non-retaliation for reporting compliance concerns in good faith, and the fact that adherence to the organization’s compliance program and policies is a condition of employment.
  • Does the organization evaluate the content of its training and education program on an annual basis and modify the content, as appropriate, to ensure that the content is appropriate and sufficient to cover the range of issues confronting its employees?
  • Has the organization kept up-to-date with any changes in federal health care program requirements and adapted its education and training program accordingly? As we stated above, a compliance program and its policies and procedures is not a “one and done” thing. It should be a series of documents, training modules, presentations, etc. that are reviewed, added to, and revised periodically as the organization and its risk areas evolve.
  • Has the organization formulated the content of its education and training program to consider results from its audits and investigations, results from previous training and education programs, trends in hotline reports, and OIG, CMS, or other agency guidance and advisories? When areas for improvement are identified, those areas should be incorporated into the organization’s compliance education and training.

Industries & Practices

Media Contact

Subscribe to Receive Updates
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.