The fifth essential element of an effective Compliance and Ethics Program is monitoring, auditing and internal reporting systems. These elements are interconnected and rely on conducting an organization-wide risk assessment to evaluate potential areas of risk. The risk areas can then be prioritized on a work plan, which will show how the organization plans to mitigate those risks through systems of monitoring and auditing. Risk assessments should be done annually and on an ongoing basis as changes occur in the organization that affect risk factors.

How do you determine which risk factors should be assessed for your organization? There are multiple areas to consider. One is the guidance set forth by the Office of Inspector General (OIG) for risk areas that all health care organizations should assess, such as Medicare billing, physician billing, changes in key processes, personnel changes, human resources, financial management, and compliance issues identified through internal reporting systems. Another area involves keeping up with current risk issues based on enforcement activity, OIG fraud alerts, and new laws and regulations. Arguably, the most important risk areas to consider are those that are of most concern to your individual organization. This might be determined through surveying department heads and/or interviewing key leaders to determine their highest areas of perceived risk. Some of these might include survey history, safety, coding, credentialing, quality ratings, staff training, and conflicts of interest.

The severity of risk in the areas identified should be assessed (usually on a scale of low, moderate or high) to determine which risk areas will be priorities in the development of the work plan. The work plan demonstrates that the organization knows where its potential problems are and is taking action to mitigate them. The work plan will need to include auditing and monitoring of the primary risk areas. Auditing is typically done by someone outside the functional area, such as a consultant or accountant. An example of this is having a Mock Survey of a skilled nursing facility to ensure that the care being provided is meeting the government regulations. Monitoring is an ongoing review that is usually performed by a person responsible for or experienced in that area. This may include a review of billing by an internal team to ensure that the appropriate coding is being used.

The systems of auditing and monitoring included in the work plan should identify violations of laws and regulations, as well as non-adherence to compliance policies and procedures. The results of auditing and monitoring should be analyzed with tracking, trending and benchmarking. To ensure objectivity, the results should be evaluated by external entities. Any problem areas identified should be addressed through the implementation of a plan of correction.

The auditing and monitoring systems cannot be relied on to identify every problem area. To ensure that knowledge of inappropriate activity is reported, it is vital to have internal reporting systems that encourage staff to report any concerns or suspected misconduct. The options that need to be available include reporting to:

1. The employee’s supervisor or leadership
2. Human Resources
3. The Compliance Officer
4. The organization’s Compliance Hotline

The hotline should be well advertised and allow for anonymity and confidentiality, to the extent that is legal and practical. There should be a strong stance on protection from retaliation, with monitoring to ensure that this has not occurred. Leadership and compliance staff need to be approachable and trusted. They need to be diligent in following up on any reported concerns on a timely basis.  If staff do not feel comfortable using the internal reporting systems, their alternative may be to become a whistle blower. If reports of misconduct are made to government and regulatory agencies, it is in the best interest of the organization to self-report based on knowledge obtained through the effectiveness of their monitoring, audition, or reporting systems.

References: Measuring Compliance Program Effectiveness: A Resource Guide; HCCA-OIG Compliance Effectiveness Roundtable Meeting, January 17, 2017, Washington D.C.; Insider’s Guide to Compliance, S. Walberg, 2018, Compliance Ala Carte.

Friends Services Alliance (FSA) is a national professional association of values-aligned organizations that serve seniors. Our support services include a team of Compliance and Risk Management experts who have supported organizations in developing and maintaining effective Compliance and Ethics Programs for over 20 years.