Compliance Perspectives

By Adam Turteltaub The 2024 CMS Medicare Physician Fee Schedule extends no less than ten different pandemic flexibilities related to telehealth. In this podcast, Randi Seigel, partner and Jared Augenstein, managing director, at Manatt take us through all of them, including in-person visit requirements, audio-only services, physician supervision and opioid treatment. They also address: * Changes in the structure of the telehealth services list * Changes to payment by place of services * Remote psychological and therapeutic monitoring * Enrollment and revocation * A new opportunity for payments for social needs of Medicare beneficiaries Listen in to learn more about what’s new, what’s the same, and what will sunset at the end of 2024.

By Adam Turteltaub Effective investigative interviews are both important and sensitive. To get some pointers about how to conduct them properly, we turn in this podcast to Wendy Evans, Senior Corporate Ethics Investigator at Lockheed Martin. Wendy is also an instructor for the SCCE Fundamentals of Compliance Investigations workshops. She recommends starting by doing your homework. Before you talk with anyone, whether a possible witness or the subject, get all the information you can from the reporter. Then, review it to see if it includes the what, where, when, why and who. If you don’t have all that information, take the time to find it since it can identify what the potential motivation behind the incident was. With that information in hand, check your case management system to see if any of the parties were involved in previous reports. Follow that by notifying HR and the subject’s manager that you will be conducting an interview. They may have important insight. Think through what other evidence you may need for the investigation, including expense and audit reports. If you are going to conduct the interview remotely, she offers four pieces of advice: * Be sure to schedule it appropriately. Sending a meeting request on a Friday for a Monday meeting can create an entire weekend of unnecessary stress for the individual. * Mark the meeting request as private so you, and they, don’t have to worry about others seeing it. * Ensure that the person has video and a private place to talk. * Always include your phone number in case a technology glitch gets in the way. At the time of the interview, don’t just jump into the questions. Take time to build some rapport. This will help reduce the stress level. Then, when you start asking questions, begin with broad ones -- “tell me about your work” or “what were your last three business trips?” --  that aren’t simple yes or no. Then, over time, move in to more narrow, specific questions. When it’s time to get to the hard questions, help the subject prepare themselves psychology. Preface then by saying something along the lines of, “I have to ask you a tough question.” When concluding the interview, ask: Is there anything else I should know but didn’t ask you? That can prompt the sharing of additional information. Finally, be sure to thank them for their time and cooperation. Be sure to also reiterate what the investigation process is and what they can expect next. Listen in to learn more, and, maybe, join her at an upcoming Fundamentals of Compliance Investigations workshop.

By Adam Turteltaub Matt Kelly (LinkedIn), Editor and CEO at Radical Compliance is a close watcher of all things compliance, and in this podcast he shares his take on both the top stories of 2023 and what he sees in the cards for 2024. FCPA On the Foreign Corrupt Practices Act front, he noted a change in enforcement. While the volume of resolutions declined on the DOJ side, the SEC has remained very active. Perhaps most notably, the Albermarle case had an interesting twist. The way the company did business was changed dramatically as a part of the settlement, he reports, with a restructuring of its overseas sales and the end of the use of third parties. He speculates this may be the start of a new trend in which monetary penalties are accompanied by required changes to the way companies do business. Also of note in FCPA was the announcement by Lisa Monaco at the SCCE Compliance & Ethics Institute of a leniency policy in mergers and acquisitions. Because of the relatively short timeline for finding and disclosing problems, there is a strong incentive for organizations to involve the compliance team early and deeply in these transactions. SEC Cybersecurity Rules The July SEC rules on disclosures of cyber incidents require firms to disclose an incident within four days. Companies will need to describe the nature, timing and material consequences. That will increase the importance of thorough and prompt cyber materiality assessments, as well as both quantitative and qualitative impacts. Greenhouse Gas Disclosures The SEC’s proposed rule on greenhouse gas disclosures is now the longest and most commented rule in history. It also has not been finalized while, in the meantime, both California and Europe have passed their own laws. The rule is likely to be very complex and impose a significant burden on companies. Healthcare The biggest news he saw in 2023 was the new General Compliance Program Guidance issued by the Office of Inspector General at HHS. The document makes it clear that it expects a fully independent compliance program. As the document states: The compliance officer should: * report either to the CEO with direct and independent access to the board or to the board directly; * have sufficient stature within the entity to interact as an equal of other senior leaders of the entity; * demonstrate unimpeachable integrity, good judgment, assertiveness, an approachable demeanor, and the ability to elicit the respect and trust of entity employees; and * have sufficient funding, resources, and staff to operate a compliance program capable of identifying, preventing, mitigating, and remediating the entity’s compliance risks. The Future Looking to the future he asks if others will be as supportive as the OIG at HHS. He also points to other things to watch such as the Foreign Extortion Prevention Act, the PCAOB’s extremely controversial NOCLAR proposal and

By Adam Turteltaub We all want the compliance team to be approachable. It would be ideal if, when people thought of compliance, they had positive, maybe even warm and fuzzy, associations in their mind. But, how do we get there? For BroadPath, a friendly blue koala was the answer. In this podcast, Jaime Watkins, the compliance officer there, explains that she drew inspiration from the Basic Compliance & Ethics Academy and an exercise that called for creating a compliance mascot. Back at the office she created a contest among employees to create a mascot as a part of the company’s celebration of their compliance and ethics week. A winner was selected, and, with the help of the marketing team, the blue koala was born. Since then, the furry critter has been a regular part of their training, newsletter and is used everywhere that they can, even sometimes straying to the activities of other groups in the company. The impact of the koala has been enormous. People enjoy seeing variations of how it is dressed up for holidays and it even plays a role in regular compliance trivia contests. Listen in to learn more about how a mascot could help your compliance efforts.

By Adam Turteltaub Decades ago, while at a bit of a career crossroads, I was thinking of making a dramatic change and moving halfway around the world. I was talking it through with a friend who said that one day he asked himself whether he wanted to have a successful career or an interesting one. He realized that interesting was more important to him. That decision led him from Missouri to New York to Hong Kong, Singapore and Thailand, where he ended up enjoying great success. Ricardo Weffer, Group Ethics and Compliance Head of Al Dahra, has had a similar career journey that ranged from Venezuela to Dubai with countless points in between. In this podcast he shares his almost two decades of work in compliance and anticorruption in Latin America, the Middle East, Sub-Saharan Africa, Central Europe and Asia. A lawyer by training, he has worked in energy, banking, tobacco, logistics and agriculture. Despite all this variety, both in geography and industry, he shares that there are professional commonalities wherever he has gone. These include great compliance and business leaders who stand for what is right and are willing to fight for it. He has also found, happily, that, no matter what the industry, companies are mostly made up of real, hard-working, well-intentioned people driven by values who want to do the right thing. What wisdom does he have for those thinking of having a global career?  He offers three pieces of advice: * Be adventurous and open to new experiences. * Be willing to be taught. * Enjoy it. Working and living abroad can be tough, but the rewards are worth it. Listen in to learn more, including some inspiring words about the impact of compliance professionals.

By Adam Turteltaub Compliance professionals can face a lot of resistance in the course of their work: leaders who don’t have the time, budget limits, managerial indifference, and even outright hostility. But, sometimes the impediments are inside us. In this podcast, Kristy Grant-Hart, CEO of Spark Compliance Consulting and author of the new book Your Year as a Wildly Effective Compliance Officer, points out that sometimes we get in our own way. It’s just easier for us to see what the external blocks are than it is to see those we create for ourselves. Overcome them, she argues by trusting your own value. Ask for what you want, and don’t trust that others will see the need. And, when you do ask, be sure to make clear what value the compliance program provides. She also cautions against falling into Imposter Syndrome and feeling as if you don’t belong in the room. Sitting there quietly doesn’t help, in fact it hurts by giving others the impression that you and the compliance team are not adding value. Instead, speak up at every meeting so that you can be perceived as a contributor. On the personal level, set goals for yourself. Pick an area to deepen your expertise and another to grow personally, such as in speaking publicly or improving your productivity. Also, look to growing your network. Plan on attending in-person meetings and then follow up with the people you meet there. Don’t just make them another entry in your Outlook contact list. When it comes to those external barriers, she advises not taking push back personally because most often it isn’t personal. People have other commitments. In fact, look at why they are pushing back and evaluate if the criticism is fair. If it is, then adjust your efforts. If it isn’t, let it go. Not everyone is going to get along with you. Finally, she discusses how to ensure you don’t let work take over your life. Reserve time for family, friends and your passions, and keep those commitments. When it comes to after-hours emails and texts, don’t answer them if you don’t have to, or if you do, send a delayed respond. That way people learn you won’t be responding 24/7/365. Be considerate, too. If you think of something in the evening and want to get a note out that isn’t urgent, be sure to let the recipient know they don’t need to respond right away. Listen in to learn more about how to clear your internal path and become your own best ally in compliance.

By Adam Turteltaub We are starting a new year of Compliance Perspectives podcasts by going back to basics with an episode designed for those who are charged with starting a compliance program. While the conversation is directed to this audience, there are some good reminders even for established programs. Providing guidance are Pam Cleveland, Compliance Officer – Medicare Advantage for UCLA Health FPG and Megan Grifa, Senior Director, Compliance at Sidecar Health. So, if you are charged with launching a program, where do you begin? They advise starting by taking the time to develop a work plan that outlines your compliance program elements. Look to see what the regulatory requirements are for the business you are in and make a catalog of them. That, in turn, will help you set the objectives of your program. Next, take the time to tailor those requirements to the unique aspects of your organization. To do so, first spend time with operations to understand their level of knowledge, processes, resources and documentation. That will help you prioritize what needs to be done. Take the time also to gain the support of leadership. They may need education in everything from what a compliance program is to the specific requirements of your situation. One very effective technique is bringing them examples of non-compliance in your industry and the consequences of it. On an ongoing basis, follow the seven elements of a compliance program and make sure that you prepare your colleagues for the fact that changes happen. Law and regulations evolve, and the compliance program must do the same. It will help things go a bit smoother when you have to institute a new direction. Listen in to learn more about the essential steps for starting a compliance program.

By Adam Turteltaub When compliance professionals discuss AI most of the conversation tends to focus on the risk.  Frank Orlowski (LinkedIn), Founder and President of Ation Advisory Group, though, is far from all gloom and doom on the topic. In fact, he believes AI can be an asset to compliance programs. AI, he explains, can be of great value for compliance any place where there are large amounts of transactions that need to be monitored and checked. Two notable examples are travel & entertainment and accounts payable/vendors. AI is very useful for identifying outlier transactions that could be a sign of trouble. In manufacturing, it can be very helpful in monitoring materials being used. AI can also be helpful, he believes, in ESG efforts. But, there are limits. AI is not ready for handling contracts, he argues. It is also chronically deficient when it comes to addressing the gray areas of ethics and fairness. There it’s important for compliance teams to work with the business unit closely to ensure decisions are adequately documented and AI does not make decisions that would be regrettable from an ethics perspective. Listen in to learn more about how AI could help your compliance efforts.

By Adam Turteltaub The topic of conflicts of interest (COIs), especially in healthcare, is a very broad one. It can encompass professional activities, board membership, purchasing, procurement and more. But it is the financial conflicts, especially for those that conduct research, that can be most problematic. To help unpack the topic we are joined in this podcast by Will Crawford (LinkedIn), an associate in the DC office of Hogan Lovells. He explains that, in the case of research, a COI occurs whenever the interest of the investigator, their spouse or children can affect the design, conduct, or reporting of institutional research. And, of course, there is a potential conflict when activities like consulting and speaking can affect primary employment areas. Federal regulations have expanded greatly in this area, with the Public Health Service now being joined by the US Department of Energy and even NASA with regulations of their own. Compliance teams need to monitor the changing direction from all three. What else should compliance teams be doing? First, ensure the training is adequate and reflects the changing regulations. That includes helping others understand that the changing regulations are a necessary reflection of evolving risk. Second, ensure that the compliance team, itself, understands the current rules; there is much confusion out there. Other things to consider or embrace: * Centralizing the process for managing COIs * Requiring more disclosures and independent review boards * Planning for greater transparency * Developing policing and monitoring systems Finally, be mindful of joint ventures. They can create great opportunity, but they also carry substantial risk.

By Adam Turteltaub Record retention and information governance have grown exponentially more complex as the number of laws have proliferated and the amount of data housed has exploded. This has vastly complicated the question of what data to hold onto and for how long. Mark Diamond, CEO of Contoural, points out that sometimes there are even competing and conflicting compliance regimes. For the most part, the rules specify a minimum number of years that information must be retained. However, organizations can typically retain records longer if there is a compelling and documented business need. Still, the temptation to just hold onto the data must be resisted. In this podcast he outlines the importance of getting a good handle on what data the organization has, categorizing it appropriately, determining how long it will be retained, and how it will be destroyed. Typically, this is an exercise involving multiple disciplines, including compliance, legal, IT, security, privacy and the business unit. A committee is likely the best way to manage the challenge, and having a compliance person in the lead position can be very useful. Listen in to better understand how the information in your organization can be governed more effectively, who to involve, how to structure the effort, and the important difference between information governance and data governance.

By Adam Turteltaub Ronnie Feldman (LinkedIn), CEO, Founder and Creative Director of Learnings & Entertainment, thinks that compliance teams play too much defense and not enough offense. What does that mean?  In this podcast he explains that offense is the proactive preventative measures designed to prevent problems. Defense is reactive and made up of investigating allegations and cleaning up issues. To his experience, the time and money are more focused on defense than offense. So what should we do? He recommends realigning efforts, starting with looking at the key influences of behavior: the social environment and the influence of leadership. That includes changing the perception of compliance and turning it into a more positive one. One specific step he advocates is making the training more relevant and enjoyable to take. On the leadership level, he advocates for making them a larger part of the ethics team by providing them with the tools they need to address ethics issues. This could include videos to share and simple learning exercises they could take their teams through. All of these efforts can promote an environment of psychological safety and lay the groundwork for a compliance program that works and delivers measurable results. Listen in to learn more about how your program can play more offense.

By Adam Turteltaub On February 22, 2022 the European Commission adopted a proposal for a directive on corporate sustainability due diligence.  In this podcast, George Porter, Knowledge and Training Manager at Ground Truth Intelligence reports that the directive, which is still being negotiated, is both a continuation of past measures and something new. It is designed to unify a great deal of previous regulations and create an ESG framework for both EU-based companies and those doing business in the EU. The directive covers three key areas: environmental risk, social goals such as modern slavery and child labor, and governance. The governance portion, importantly, addresses the duty of care and the need to conduct due diligence. It also significantly expands the stakes for organizations. Due diligence of the supply chain continues but organizations will now be responsible not just for how they sourced materials, but also how their products are disposed of. To back it all up there will be substantial potential penalties, including civil liability and fines up to 5% of global turnover. So what should organizations expect to do differently or better from a compliance perspective? He recommends preparing for a greatly enhanced auditing and monitoring program. Action plans will be needed for suppliers who need to improve their efforts. On a continuous basis there will be a need to check that these plans are being followed and attestations are not just tick boxes. Listen in to learn more about how this directive will likely lead to substantial changes in the ways in which organizations do business and what compliance teams need to start preparing for.

By Adam Turteltaub While the pandemic seems, at least for now, to be receding into our past, many of the changes from it have not, including a large percentage of the workforce that works remotely. While in some ways we have gotten used to this new normal, Lori Tansey Martens (LinkedIn), President, International Business Ethics Institute warns that there remains cause for concern. Specifically, the prevalence of high number of remote works has been and continues to negatively impact corporate culture. Culture is made up of the shared values and beliefs, norms, values, mission and purpose, and in many ways it differentiates one organization from another. Recent research shows that the common fabric binding people together into one culture is fraying. Survey data she shares shows that employee feelings of alignment has decreased substantially, and while those declines have leveled off among in-office and hybrid employees, they have not among remote workers. Remote workers also have the highest turnover rate and intent to change jobs, which suggests that they view their work as more transactional and are less committed. That can have a huge impact on ethics and compliance. Research suggests that employees who feel less loyal and committed are less likely to take into consideration reputational risk and long-term damage to the organization. Add to that data suggesting they are less likely to speak up, and it’s a dangerous prescription. So what should organizations do? For one, strive to connect people more fully. When workers are in the office together it’s okay to bring in remote workers via Zoom, but be sure that the people in the room are not just staring at their own individual laptops. You don’t want to exacerbate the issue by making in office people wonder why they should bother, given that they are still on Zoom. Look to do more in person rather than virtual training, people are already staring at their computers enough. Managers also need to be trained on how to manage and build teams with hybrid and remote workers. As she notes, we have totally upended the way we do business without giving them any real training. When bringing on new remote employees seek to make them feel connected. Send them a package with items reflecting the local flavor of the office and notes from their new colleagues. Make a commitment to bring them into the office occasionally.  You can’t immerse them fully in the culture without doing so. Finally, track separately in-office, hybrid and remote workers on training, helpline calls and other metrics to make sure that the culture is present throughout your workforce, not just the in-house one. Listen in for more.

By Adam Turteltaub While most eyes have focused on the US Department of Justice’s document Evaluation of Corporate Compliance Programs when looking for guidance, it’s not the only DOJ source out there. Josh Drew (LinkedIn), Member, Miller & Chevalier explains that it would be wise to also look to Attachment C. What is it? It’s a document typically attached to Foreign Corrupt Practices Act (FCPA) resolutions. It specifies what the defendant company will need to do to establish and maintain an effective corporate compliance program. As a result, it, like the Evaluation document, provides very clear guidance as to what the DOJ’s thinking is when it comes to compliance. In August and September 2023 there were several changes to Attachment C. For one, it expanded the call for support from senior management down to include midlevel management as well. It specifically points to the importance of their tone and conduct:  “The Company will ensure that mid-level management throughout its organization reinforce leadership’s commitment to compliance policies and principles and encourage employees to abide by them.” In the realm of training, it calls for metrics to assess the effectiveness of the training, not just that it was given. That’s a theme consistent with other direction from the DOJ. Not surprising for an FCPA-related document, it also calls for documenting the business justification for engaging a third party and ensuring that contract terms are specific. Third parties should also be tracked after the initial engagement, which means ongoing due diligence. And, here, too, as elsewhere, the Department of Justice reinforces the importance of both incentives for good behavior and disincentives for bad. Listen in and then be sure to spend some time reading Attachment C.

By Adam Turteltaub At this point anyone in healthcare who doesn’t have a plan for managing HIPAA compliance risks is behind the eight ball and times. But, for those who do have a program in place, the question is: does it currently reflect your risk profile? Nancy Roht (LinkedIn), Managing Principal at Compliance Pro Consulting points out in this podcast that just because the HIPAA regulations don’t specify how often a HIPAA risk assessment should be done it’s best to do so annually, and perhaps even more frequently if something significant happens. Changes in leadership, organizational structure, goals, quality and major vendors can all call for a fundamental reexamination of your strategy. When conducting the assessment, don’t mistake it for a gap analysis. Make it a true assessment of risk and put together a work plan to address any deficiencies. When conducting the assessment, she recommends interviewing both leadership and staff to get a comprehensive picture. Take an inventory of the PHI you have, potential threats, vulnerabilities and security measures. Then, assign risk levels, prioritize and document your thinking. Years from now no one will remember what decisions were made and why, without the documentation. Be sure to look externally at your business associates, particularly those with evergreen agreements. They may have run out of date. Listen in to learn more about how to make your HIPAA risk assessment stronger.