Compliance Perspectives

By Adam Turteltaub In December 2020 the Pandemic Response Accountability Committee (PRAC) issued the report:  Insights on Telehealth Use and Program Integrity Risks Across Selected Health Care Programs During the Pandemic. To better understand the PRAC and the report, we spoke with Erin Bliss, Assistant Inspector General for Evaluation and Inspections at the Office of Inspector General for the Department of Health & Human Services. As she explains in this podcast, the PRAC was formed as an outcome of the CARES Act. Its mission is to promote transparency and coordinate oversight of the federal coronavirus response; prevent and detect fraud, waste, misuse and mismanagement; and identify risks across agencies. The Offices of Inspector General from HHS, Justice, Veterans Affairs, Defense, Labor and Office of Personnel Management are all PRAC members. The report revealed how great an increase there was in telehealth. In the first year of the pandemic, telehealth usage increased from roughly 3 million people across six federal programs to 37 million. This change was largely the result of an expansion of the Medicare rules, which previously had limited telehealth to rural communities during in-office visits. While few today dispute the value of telehealth, that does not mean its use has not come without challenges. More data, the report notes, is still needed for oversight of telehealth’s use and impact, particularly on quality of care. In addition, data collection policies need to be improved since many providers have kept only rudimentary information. At the same time, the report identified activity that indicated waste, fraud and abuse. These included billing the same service twice, billing for extremely high amounts of telehealth services, billing for services that did not seem appropriate for telehealth, and billing at the highest, most expensive level. If there is good news to these findings, it is that the risks are ones already familiar to healthcare providers. Established risk management and compliance tools will likely be useful. Listen in to learn more about what the report revealed and what steps you can take, including active monitoring, to ensure the integrity of your organization’s telehealth services.

By Adam Turteltaub Compliance programs start with the laws and regulations, but compliance failures begin with people. That’s why, argues Jochen Vankerckhoven (LinkedIn), founder of Antwerp-based Compliance Explained, that it is essential to take an audience-driven view of compliance programs. What that means in practice is designing and implementing a program that is suited for the people who are the intended audience. It also means valuing your audience and realizing it is one of the main pillars of a successful program. Think, he advises, of your compliance program as having two parts: a front and a back end.  The front end is what the workforce sees. Then consider what the right message is and the right time to deliver it so it has the most meaning to your audience. Be reasonable with your communication goals. Strive for a not a deep understanding of a topic but awareness of an issue and where to go to get help. On the backend, have the right controls in place and recognize that it is better to prevent a problem in the first place than to rely on those controls. Listen in to learn more about this unconventional approach to thinking of compliance programs.

By Adam Turteltaub Auditing and monitoring is a required element for an effective compliance program, but it also carries with it a host of benefits. In this podcast, Jessenia Cornejo (LinkedIn), Chief Compliance Officer for Bridge Diagnostics and Brittani Summers, Compliance Manager for Sprinter Health, outline all you can get from a robust auditing and monitoring program and how to create one. Benefits of a strong auditing and monitoring program include: * Measuring the effectiveness of your compliance program * Identifying criminal or malicious conduct * Highlighting risk areas * Accountability * Transparency * Continuous improvement (which the government is looking for these days) * Greater collaboration with other departments In addition to all these benefits, a strong program in this area can be enormous dividends when a regulator of the Department of Justice comes knocking at your door. When launching an auditing and monitoring initiative they recommend putting a work plan in place. It will enable you to manage the implementation to your goals and objectives. Be sure to include scheduling, they advise. It will help you stay on track. Then share the plan with leadership or the compliance committee. That will help ensure buy in, identify constraints and risks, and help you get any additional resources you may need. They also offer one simple, but important, piece of advice: don’t try and do everything all at once. Don’t wait until everything is in place before beginning. Instead, focus on the top risks as soon as you can. Likewise, don’t try and audit everything all at once. It can be better to tackle one item at a time. Listen in and learn more about how to make your auditing and monitoring program a success.

By Adam Turteltaub With increased focus on the board’s oversight of compliance programs by the US Department of Justice and the Delaware Courts, there is a strong case for adding compliance officers to boards of directors, and many compliance professionals have the skills.  Few, though, have been able to make the leap. Haydee Olinger (LinkedIn), Sr. Advisor at Barker Gilmore, and former longtime chief compliance officer at McDonald’s, is one of the few who have. She has now served on the board of two publicly-traded companies. How did she do it? She was able to find her way onto the first board through a combination of networking, and by virtue of the fact that she had such deep experience in the quick serve restaurant category. Her journey is a good reminder to compliance professionals that your position doesn’t just mean you have expertise in compliance. You also have expertise in the industry in which you work. The compliance role gives you insight into all the various aspects of the business. It’s an asset not to be downplayed when pursuing board positions. Despite have worked with boards as a compliance officer, she reports that serving as a board member greeted her with many surprises. For one, board members don’t have the opportunity to settle in and learn the business. They have to hit the ground running and address a wide range of issues, which these days include the lingering impact of covid, supply chain challenges, inflation, labor shortages, IT security and, of course, compliance. Second, as a board member you have to reorient your thinking away from an executive whose job it is to get things done to a role of strategy and oversight. That means as a board member you need to stay out of the weeds. One implication for compliance officers meeting with the board: don’t bog it down in detail. Instead focus on corporate risks, their likelihood of occurrence and what is being done to mitigate them. While in the meeting, listen carefully to board questions to anticipate what they will need for future meetings. Between meetings, build a relationship with the relevant committee chair, board chair and even individual board members. The more interactions you have with them, the easier it will be to anticipate what they will want to know. Listen in to learn more, and, perhaps, start thinking about how you can make the leap to board membership.

By Adam Turteltaub A lot of people, myself included, have wondered what it would be like to live and work, abroad. Matt Nobles, Chief Compliance Officer – Middle East & Africa for GE Gas Power has lived the life, even as a child. As he shares in this podcast he spent his childhood as an ex-patriot kid living in Southeast Asia, and for many years now he has lived in Dubai. It’s a life he has enjoyed greatly, meeting people from all over the world, and experiencing a wide range of cultures, food, music and art. It has also enabled him to expand his network and count friends all over the world. His family has benefitted too, with his children enjoying an experience they would not otherwise have had. In terms of one’s career, time spent in another country can have many benefits. A short-term assignment in a difficult region could leave to promotions when returning home. Alternatively, one assignment abroad could to another and another, and a life of living all over the world. So what should you do if you have the desire to live and work abroad? First, he recommends considering the unique aspects of the region you are contemplating, the cost of being far away from family and the opportunities in that region versus others. When you get to your new posting, he recommends spending the first 90 days listening as much as possible. Connect with your local team, learn their compliance challenges and the local dynamics. These include cultural, geopolitical, and legal factors. Next dig into legacy issues to understand what has gone wrong in the past, and how it has been fixed, or still needs to be. On the personal side, the first thing, of course, is getting yourself and family settled in. Then build out a local community for yourself to make the experience more enjoyable for you and your family. Be sure to take advantage of local experiences. Expat blogs and even books can be very helpful in helping you understand the region and the local mindset. One mistake to avoid, he warns, is trying to focus on the American or Western way of doing things. Don’t go charging in with a fixed view. Instead, listen carefully to learn how things are done locally. Listen in to learn more, and then, maybe, start packing your bags.

By Adam Turteltaub With enhanced concerns and vigilance over cybersecurity has come an increasing number of yardsticks that organizations much measure themselves against. As Troy Fine, Director, Risk and Compliance at Drata explains, in addition to legal requirements such as the European General Data Protection Regulation (GDPR), HIPAA and the California Consumer Privacy Act (CCPA) two key standards have emerged: * SOC2: This standard was developed by the accounting body ISACA and is primarily of import to US-based technology companies and startups. Audits are performed by CPA firms on internal controls related to security * ISO27001: More popular in Europe, it is a certification on information security management systems, examining how risks are identified and mediated and what control plans are in place To prepare for an audit he recommends first getting a good understanding of the relevant standard so you understand all the elements it requires and what it will take to meet those requirements. Next determine when you will need the certification in hand and start building a timeline backwards to determine when you need to start. Calculate, too, what it will cost in terms of time, people and everything else, including the price of the audit. How you work with the auditor will depend largely on which audit you pursue. He explains that SOC2 audits allow for more consultation than ISO27001 does. When hiring an auditor, it can be tempting to use the one with the lowest price. He recommends, though, being careful before going down that route since the auditor is likely to have less time to give. Be sure also to ensure that the auditor has the necessary expertise to be able to evaluate your technology. Some may not be as well versed on various elements, including cloud services, as they should. Once the audit begins, compliance teams can be helpful by ensuring that all the data and people the auditor needs are available. And, he advises, be transparent, even about your gaps. Listen in to learn more about having a successful data security standard audit.

By Adam Turteltaub Personal data, especially in healthcare, seems to breed on its own, which is why, like the dinosaurs in Jurassic Park, it’s critical to keep close tabs on where it is and how it is used. First stop: a data inventory. Nick Weil and Mayesha Awal (LinkedIn) of Epsilon Life Sciences explain that a data inventory is necessary because often organizations don’t have a strong handle on their data. You need to take a noun and verb approach, they explain. The noun addresses where the data is: what computers, servers and file cabinets it is stored in. The verb speaks to what is being done with the data. What are the processing activities? What functions are accessing the data? It's good information to have for its own sake, but under data protection regimes ranging from GDPR in Europe to HIPAA in the US, it is essential. It is also a project that is often filled with surprises. Compliance teams conducting an inventory may discover a wide range and types of data processing activities. These can include GPS information, payment card method, biometrics and much more. Plus, of course, there are the number of ways that vendors may be using the data, and what information may be in the Zoom call that just got recorded. Listen in to learn more about how to uncover and manage the data in your organization’s inventory.

By Adam Turteltaub The holidays are here, and with them come good tidings of comfort and joy, and increased corruption risk. Holiday gifts, both given and received, can lead to serious compliance challenges. In this podcast Richard Bistrong of Front-Line Anti-Bribery warns that 2022 may be particularly difficult. For many this will be the first time in several years that they have had the opportunity to connect face to face with customers and vendors. There may be a desire to catch up for lost time, and the rules of the road for giving may have been forgotten. Some may even be tempted to dip into their own pocket to keep the gift off the books. Making things difficult is that it’s difficult to find a rule of thumb for gift giving that reflects all the various nuances from culture to culture around the globe. However, employees can learn to look to the code of conduct, reach out to managers and contact compliance to ensure that they are staying between the guardrails. It’s important that workers know that the rules apply to gifts given to government officials and also to employees at other companies. Commercial bribery is a real risk, and a gift that may be perceived as creating an obligation of some sort is not appropriate. Even charitable giving may be problematic. Although a part and parcel of the regular giving of many industries, it’s important to ensure that the funds are being used appropriately and that the charity is not tied closely with a government official. In general, organizations need to embrace reasonable and transparent gift giving. To that end, a gift registry can be extremely helpful, tracking both what is given and received, as well as any gift giving plans. Finally, don’t forget to train employees on what gifts they can accept, and to warn them that it’s easy, as Richard learned, for a seemingly innocent gift to lead them down a dangerous path.

By Adam Turteltaub Harsh Kariwala, CEO of VComply, warns that traditional tools for managing compliance programs, such as spreadsheets, may be hurting your compliance program. They often are not scalable and can lead to inefficiencies and unnecessary complexities. Automating your compliance program can be a natural choice, but organizations may resist doing so out of budgetary concerns or mindset. Budget is typically of greatest concern for smaller organizations, which have less to spend and are eager to build or sustain their cultures. If your organization is ready for automation, he recommends identifying the tools and technology that you would want, followed by defining what process you want to start with. Take a phased approach to automation rather than trying to do everything at once. Pick one area to start, and analyze what is going right and wrong in the process. This will give you a better sense of the tools you will need and challenges you face. Measure success by the value it provides to the end user in areas such as time saved versus manual projects and potential penalties that are avoided. Finally, he advises avoiding the mistake of trying to do everything at once. So, take the first steps now, and listen to the podcast, but not all the podcasts.

By Adam Turteltaub A compliance budget is a lot more than the numbers in it, explains Betsy Wade (LinkedIn), Chief Compliance & Ethics Officer at Signature Healthcare. It should be a reflection of the organization’s priorities and risk profile. The budget is also a point of focus of the US Department of Justice when examining a compliance program during an investigation. Their Evaluation of Corporate Compliance Program guidance for prosecutors asks not only if there are sufficient resources but if they are allocated on a “risk-tailored” basis. So, what is the right budget to have? To determine that answer she recommends compliance teams do a risk assessment and determine what mitigation efforts will be needed. In addition, benchmark against other organizations to learn what they are spending and doing. Just try to make sure that you do so against as similar a business as possible. Look also to publicly available resources such as benchmarking surveys from HCCA and SCCE. Keep your eye out, too, for what regulators and enforcement authorities are saying. US Assistant Attorney General Kenneth A. Polite, Jr., she reports, recently called for compliance FTE for every thousand employees. The compliance budget should include the cost for all that compliance personnel. Also in the budget should be any travel, certification costs of staff members, staff training, services purchased, and more. To win management approval, she recommends continued analysis of the budget and making adjustments. She also advises using the risk assessment as a tool to support the compliance team’s budget request. Listen in. Doing so won’t add a penny to your budget.

By Adam Turteltaub Go back roughly twenty years and you wouldn’t find a country in South America that had corporate criminal liability laws. Today, though, the picture has changed dramatically. Felipe Sottorff Araya (LinkedIn), a compliance consultant from Chile who recently moved to the US, reveals that half of the countries now have corporate criminal liability statutes, the latest being Colombia. That doesn’t mean they all have the same laws. There are significant differences among the countries when it comes to triggers for corporate criminal liability. Some have adopted broad rules; others have taken a narrow route. There are common elements, however. Bribery is treated as a corporate liability trigger throughout. In addition, the crime has to be committed to benefit the company. Another common element: expectations for compliance programs. Each country follows the seven elements approach found throughout the world. Listen in to learn more about the changing landscape of corporate criminal liability and also learn where organizations are most likely to fall short in their compliance efforts.

By Adam Turteltaub The Winchester Mystery House is both an unusual tourist destination, and a good metaphor, as it turns out.  Built by an eccentric heiress who never stopped making changes and additions to it, the home is filled with dead-end passages and stairs that lead nowhere, a result of the constant building. Ultimately it grew to 24,000 square feet, 10,000 windows and 2,000 doors. In this podcast, Deena King, author of Compliance in One Page and a working compliance professional, tips her hat to Andrew Nebbett of Ethisphere and the warning to avoid creating a Winchester House of a compliance program. Too often compliance programs have one piece of another built onto them as they grow to accommodate more risk areas and parts of the organization. Worse, sometimes those pieces operate independently, leading to redundant efforts and a lack of cross pollination of ideas. To avoid this chaotic mishmash, she advises pursuing what she calls “strategic compliance”. Instead of focusing on the seven elements of the program, focus on the ultimate goal: to prevent, find and fix problems. Then treat the elements as a means, not an end. Develop a strategic model, she advises, and then push it out through the organization. It helps prevent additions that are separate from the main program and don’t really fit with it. Set up, too, a network for your compliance teams to communicate with each other, share insights and avoid learning dead ends. Listen in to learn more, and let us know if you’ve been to the Winchester Mystery House.

By Adam Turteltaub The compliance team has a new initiative, or you need to tell the business unit that, if it wants to get into a new line of business, a list of compliance requirements need to be implemented. Even if there is no overt pushback, there may be some very severe reservations. Doubt mining, explains Alan Wilemon (LinkedIn), Head of Privacy at Stellar Health, is about getting people to give feedback about what they are nervous about and what they feel will not work in a project. Put another way, it’s about searching for why they have doubts about the project and whether a goal can be achieved on schedule. So how do you mine those doubts and identify where the risks are? First, create a safe environment and invite them to speak up. Reach out to project stakeholders first. Then, secondarily, talk to any people who have been spoken for in the meeting. If people are “volunteered” to be a part of the project, talk to them as well. Also, avoid asking for questions or concerns only at the end of the meeting. At that point many people are eager to leave and won’t say or want to hear anything. And even if people do want to discuss the issue, you will quickly run out of time. Instead, invite comments earlier and ask them questions such as “Do you think we are being too aggressive?” You need to be the first to admit that there may be issues and the plan could be improved. Listen in to learn more, and then become a doubt miner.

By Adam Turteltaub Whether you call it a layoff or a reduction in force (RIF) it’s a stressful time for the organization and the people who work there. Research shows that people under stress don’t make the best decisions, which could raise compliance risk. Plus, it is always feared that some may make retaliation claims in order to preserve their jobs. Roxanne Petraeus, co-founder and CEO of workplace compliance training company Ethena, says that the good news for compliance teams is that they should continue to focus where they always have: the culture. The bad news is that culture and trust are both damaged during a RIF, which can lead to both an increase in misconduct and a decrease in reporting. Because of that, communication is more important than ever, she observes. Employees are hungry for more information. And don’t forget another form of communication: just being visible. Let them know that you are there for them. Other advice she offers: * Remind employees about the organization’s policies * Embrace the idea that more is better * Train effectively in a targeted way, such as focusing on the code of conduct * Get in the habit of conducting regular surveys of the workforce Listen in to learn more about how to better manage compliance programs during layoffs.

By Adam Turteltaub There has been a lot of discussion over the last few years about nudges, although typically in the general business environment, rather than in the world of compliance and ethics. A notable exception has been the work of Todd Haugh, Associate Professor of Business Law and Ethics at the Kelley School of Business at Indiana University, and a Board Member and Jesse Fine Fellow for the Poynter Center for the Study of Ethics and American Institutions. He has written about nudges and offers additional resources on behavioral compliance. In this podcast, he explains that behavioral science has revealed that nudges – carefully crafted prods to make the right decision – can have a profound impact. A nudge takes advantage of choice architecture, which pushes people in a direction by structuring the environment in which choices are made. Notably, this is not about tricking people. This is a pro-social effort. So, how does it work in practice? It begins at the end. Look at the outcome desired and then examine the steps along the way. As you do, build a behavioral map that identifies when small interventions in existing processes can achieve positive compliance results. For example, one organization was receiving more anonymous reports on its help line than it desired. The organization realized that the default setting for reporters was set to anonymous. By simply shifting the default to including the person’s identifying information, non-anonymous calls increased 5%. Another example comes in the area of travel. When an employee fills out a travel form for a high-risk country, it’s a good time to provide information on data security and the corruption risks of meeting with government officials. Professor Haugh cautions that it is best to think of nudges as ways to have specific impacts on certain behaviors, not to do something broad like creating a positive corporate culture. Have reasonable expectations and then test out various nudges to see which ones are having an impact and which ones aren’t. Listen in.  It may nudge you to think of your compliance efforts differently.