Criteria

Summary

Achievement in the integration of the company’s internal and external audit program assures that the ongoing efforts of the compliance or integrity program support strong internal controls.

Definition

An essential element of an effective compliance program is the ongoing audit of the company’s compliance with applicable laws, regulations, policies and procedures and the review of the necessary internal controls to assure that the company is complying with its commitment to ethical business practices. The results of such audit or review activity should be fully integrated into the company’s ongoing compliance program to assure that corporate wrongdoing, or potential compliance concerns, can be addressed and resolved in an appropriate and prompt manner.

Achievement to Warrant Finding of Best Practice

In evaluating whether a program has achieved a “Best Practice” in this element, look for the existence of the following criteria:

1. Policies and Procedures 

There should be written policies and procedures that establish:

• The role of external auditors and internal audits in the review of internal controls, and the conduct of financial audits, operational (e.g., management or performance based) reviews, and compliance audits;

• An organizational relationship between the audit function (whether internal and/or external) and the integrity/compliance function, including the use of auditors to conduct internal investigations under the auspices of the compliance department;

• Appropriate internal controls to monitor compliance with applicable laws, regulations, standards, and organizational policies and procedures. Processes to review the effectiveness of these internal controls should also be established;

• The accountabilities and responsibilities of the Board of Directors/governing body, Audit Committee (or compliance subcommittee) and senior corporate leaders in overseeing and monitoring the adequacy of internal controls;

• That appropriate business functions (e.g., accounting, coding, HR, purchasing, QA, etc.) have implemented their own procedures to govern their actions and roles in the monitoring of internal controls and ongoing review processes – OR – effective alternatives to self-monitoring methodologies have been established to achieve the same goals; and

• A records retention protocol that provides for the collection, retention, archival and destruction of documents and records in accordance with applicable law and standards.

2. Documentary Evidence 

There should be written evidence (e.g., signature attendance sheet for training, orientation materials for internal auditors, etc.) of the following:

• The company has appropriately segregated job duties that reduce the likelihood of fraudulent actions and/or errors in key compliance risk areas (e.g., separation of custody of assets from accounting and finance; separation of operational and record-keeping responsibilities etc.);

• A disciplined signature/discretionary authority process that provides for both the proper authorization of, and approval of transactions and activities;

• Independent checks and internal verifications within each business function to assure adequate segregation of duties, proper authorization of transactions and activities, adequate documents and records, and physical control over assets and records;

• Annual integrity/compliance training of employees which reinforces the company’s commitment to integrity in all its business and financial transactions and the importance of employee compliance with company policies and procedures;

• Targeted technical compliance training of appropriate individuals to reinforce the compliance obligations of Board members, senior management, and employees endowed with discretionary authority or fiduciary responsibility or who have responsibility for areas of significant compliance risk to the organization; and

• Discipline-specific training for employees performing internal audit and internal control review functions.

3. Role of Compliance Function 

The Compliance/Integrity Officer should be able to demonstrate that:

• The organization periodically conducts risk assessments of the entire operation to identify specific risk areas that affects its compliance posture and internal control process. The risk assessment tool used by the compliance function or internal audit in this context should be documented and reviewed regularly;

• Identified compliance risk areas are included in the organization’s annual audit plan;

• The organization has policies and procedures that govern the frequency, scope and conduct of internal audits, compliance reviews, and the reporting criteria for them. These policies and procedures need to provide latitude for reassessment of audit and review plans based on changing risks and priorities;

• The organization has a process for modifying its annual audit plan to confirm implementation, and to determine the adequacy of, corrective actions required by reportable or disclosable issues;

• The organization has a process for communicating key compliance related audit and review outcomes, and reportable or disclosable conditions to the Board, senior management and, where appropriate, outside agencies and/or enforcement bodies; and<

• The organization has properly disclosed the results of internal audits, compliance reviews, or internal investigations when required by law.

Summary

Achievement in the appropriate corporate response to internal investigations concerning potential corporate wrongdoing, and implementation of appropriate procedures ensures consistent disciplinary action and corrective actions to prevent the recurrence of such improper behavior.

Definition

An essential element of an effective compliance program is the implementation of consistent disciplinary actions and corrective action plans to assure that corporate wrongdoing is promptly corrected, the implicated parties receive the appropriate discipline, and the wrongdoing does not recur.

Achievement to Warrant Finding of Best Practice

In evaluating whether a program has achieved a “Best Practice” in this element, look for the existence of the following criteria for the response to internal investigations, and the adoption of necessary discipline and corrective action procedures:

1. Policies and Procedures 

The Compliance Program should have the appropriate policies and procedures in place concerning:

• Time frames for the investigation, resolution of reported issues or concerns, and adoption and implementation of corrective action plans;

• Investigation protocols detailing procedures to follow, and responsible persons to conduct, in investigations of possible compliance issues;

• Standards for documentation of investigations, results and follow up;

• establishment and application of consistent disciplinary standards (including application of disciplinary action under any existing union contracts), which include the input of the Compliance Officer in disciplinary decisions as a result of compliance violations;

• The monitoring of implementation of all corrective action plans, and follow up procedures as a result of discovered corporate wrongdoing;

• Resolving compliance issues potentially involving Board members and/or senior executives/officers of organization;

• retention of compliance counsel as appropriate; and

• Background and exclusion checking of all employees, physicians and other applicable individuals or organizations.

2. Follow up to Investigations 

There should be documentary evidence that the compliance program:

• Receives all reports of compliance violations in a timely fashion;

• Documents all intake, and requests for assistance in the investigation of all compliance violations;

• Works with other appropriate departments/disciplines to investigate and resolve concerns (e.g., HR, Audit, Risk Management, etc.);

• Coordinates the organization’s use of the government sanctions lists to assure employees, physicians and others hired by the organization (or under contract with the organization) are not excluded;

• Compiles appropriate data on compliance reports, investigations, and resolution for presentation to Board of Directors/Compliance Committee; and

• Maintains data base of all investigations including documentation of steps taken, interviews, etc for appropriate retention period.

3. Compliance Program 

The Compliance Program should:

• Assure that all compliance concerns are investigated thoroughly;

• Gather and maintain appropriate documentation in a confidential way;

• Coordinate all disciplinary actions, following compliance violations, and the creation and implementation of corrective action plans; and

• Ensure the organization’s non-retaliation policy is fully implemented and followed.

Summary

Achievement in the conduct and reporting of the periodic/annual assessment of the corporate compliance program that meets the requirements of element 7 of the “Elements of an Effective Corporate Compliance Program”.

Definition

The Program Assessment is a periodic review of the progress and/or achievement of the organization’s compliance program. This assessment should be conducted by or under the direction of the Compliance Officer, and focus on the organization’s implementation of the 7 elements of an effective corporate compliance program.

Achievement to Warrant Finding of Best Practice

In evaluating whether a program has achieved a “Best Practice” in this element, look at the following criteria for a compliance program assessment:

1. Corporate Governance and Oversight

The assessment should demonstrate review of:

• Governing charters for the Compliance Officer and other related personnel;

• Policies regarding reporting relationships between liaisons and CCO, Compliance Committee, Board of Directors and others with oversight of the program;

• Written evidence of high level management support, including Board resolutions, corporate funding of program;

• Adequacy of compliance office staff and resources; and

• Appropriateness of delegated compliance responsibilities.

2. Code of Conduct Review

The assessment should:

• Adequately review content to assure it provides adequate guidance to employees concerning all major risk areas within the organization

• Review the Code’s coverage of laws and regulations affecting the organization;

• Include review of such important Code topics as documentation, billing and coding, conflicts of interest, workplace environment and safety, HR issues, provider relationships, gifts and gratuities; and

• Review how the Code has been disseminated, what employees have received it, how receipt is audited, etc.

3. Review of Policies and Procedures

The assessment should:

• Review the existence and content of policies regarding all major risk areas identified in the Code;

• Look for and review Compliance Program related policies and procedures, such as non-retaliation, reporting process,

• Conflicts of interest, charters for the compliance program and compliance officer; and

• Review operational procedures for accuracy, implementation and employee knowledge of content, including background checks, investigation of incidents, EMTALA, anti-kickback issues, safety, billing and coding.

4. Internal Controls

The assessment should determine the adequacy of:

• Internal audit reviews in the major compliance risk areas of the operation;

• Targeted auditing of billing and coding issues, coverage issues, OIG identified “Fraud Alert” areas and other identified high profile enforcement issues;

• All audit protocols, investigation procedures, and reporting processes; and

• Compliance office coordination with Legal Department, HR, Internal Audit, Medical Records, etc concerning investigation, and ongoing audit/reviews.

5. Internal Reporting Process

The assessment should review and evaluate:

• Operation of the confidential phone line (or other formal reporting mechanism);

• Use of inhouse/outside resource to operate reporting program;

• Training of staff which coordinates phone line and/or receives reports from outside hotline operation;

• Procedures used to receive, record and protect information;

• Process of investigation and follow up to reports, including providing feedback to callers;

• Other reporting channels within organization, including decision tree steps; and

• Organization’s protection of reporters, response to allegations of retaliation.

6. Education and Training

The assessment should evaluate:

• Content of all compliance training, corporate values focus, company commitment to ethical practices, participation of management in presentation;

• Delivery and audit of training program, percentage of employees who received it, support of management/supervisors; and

• How training is provided (e.g., face to face training vs electronically), feedback from participants, use of case studies

7. Corrective Actions

The assessment should review and evaluate:

• Implementation of corrective action following investigation/determination of violations;

• Consistency of all disciplinary decisions;

• Timeliness, appropriateness and thoroughness of corrective action;

• Record keeping of all disciplinary actions, corrective action plans;

• Follow up to, and implementation of all corrective action plans; and

• Managers and supervisors support of all disciplinary decisions and corrective actions.

Summary

Effective communication with an organization’s vendors and business partners regarding the ethical guidelines, internal policies and government regulation related to gifts and business courtesies (including entertainment) helps establish an environment where business decisions are guided by quality, effectiveness and price rather than being influenced by inducements.

Definition

An essential element of an effective compliance program is the establishment of appropriate policies regarding vendor relations, communication of these policies to employees, vendor and business partners, mechanisms to monitor adherence and procedures for intervening when policies are not followed.

Achievement to Warrant Finding of Best Practice

In evaluating whether a program has achieved a “Best Practice” in this element, look for the existence of the following criteria:

1. Policies and Procedures

There should be written policies and procedures that establish:

• Guidelines that define in specific terms what is acceptable and not acceptable with respect to gifts and business courtesies. Guidelines should reflect current standards in the industry (e.g., AMA Guidelines for physicians). It is preferable for terms like “nominal” to be specifically defined as they may have different meanings to different individuals;

• Definitions of the types of individuals and entities included under organizational policies and procedures on vendor-related issues;

• Policies should be consistent with related policies dealing with issues such as: contracting with third parties, company assets, political activities and public affairs, grants and sponsored trips, sales and marketing practices, conflicts of interest, prohibition of bribes and other corrupt practices;

• An approval process for both the offering and accepting of gifts and gratuities;

• Communication mechanisms for employees to report violations of policy or to ask questions or for guidance;

• Effective communication mechanisms for vendors and business partners to report violations of policy or to ask questions or for guidance;

• A process for distributing the policies to vendors and business partners and for them to acknowledge their understanding and agreement to abide by the policies as a requisite condition for their doing business with the organization;

• Processes for checking vendor misconduct or exclusion/debarred status prior to entering into contractual arrangements;

• processes to disclose and to mitigate potential conflicts of interests (e.g., Board, senior executives; employees);

• Education and training regarding the policies and procedures related to vendor relations is provided to all employees and is documented;

• Clarification on the roles of each department (such as legal counsel, audit, finance, compliance and human resources) with regard to oversight and enforcement of policies related to vendor relations; and

• Agreed processes for relationships between vendors and fundraising foundations which are part of the health care organization. Donations given to foundations should not influence contract decision making processes.

2. Documentary Evidence

There should be written evidence of the following:

• Disciplinary actions taken against employees or staff for violation of policies and procedures. This evidence should support that disciplinary action is applied consistently across all job roles and functions within the organization;

• Integrity/compliance training of employees which reinforces the company’s commitment to integrity in all its business and financial transactions and the importance of employee compliance with company policies and procedures. This education to include the policies regarding vendor relations and methods of reporting concerns;

• Checks of vendors against the debarred contractor list or for records of prior misconduct;

• Targeted technical compliance training of appropriate individuals to reinforce the compliance obligations of Board members, senior management, and employees endowed with discretionary authority or fiduciary responsibility or who have responsibility for areas of significant compliance risk to the organization;

• Discipline-specific training for employees performing internal audit and internal control review functions; and

• Concerns reported to the Hotline or other appropriate mechanisms are investigated and appropriate action is taken as needed.

3. Role of Compliance Function

The Compliance/Integrity Officer should be able to demonstrate that:

• The organization establishes and updates compliance training courses relating to vendor relations and the offer and acceptance of business courtesies or gratuities;

• The Compliance Office resolves employee and supplier questions and/or concerns relating to vendor relations and business courtesies or gratuities;

• The Compliance Office or other relevant staff function investigates and resolve allegations of misconduct concerning vendor or supplier relationships and compliance with organizational policy relating to business courtesies or gratuities.

• Relevant compliance risk areas such as strategic procurement agreements and business courtesies or gratuities policy compliance are included in the organization’s annual audit plan;

• The organization has policies and procedures governing procurement, supply chain management and/or vendor relations as well as for the offering/accepting of business courtesies or gratuities that are updated to reflect changes in relevant laws and regulations such as the Anti-Kickback Act;

• The organization has a policy or process governing disclosure(s) to relevant U.S. Government agencies of violation(s) of such laws as the Anti-Kickback Act;

• The organization has a process for ensuring that no current or candidate supplier or vendor is barred or suspended from participating in or receiving any U.S. Government funds in the performance of a procurement and/or contract action; and

• The organization has a process for periodically (e.g., annually) reminding vendors or suppliers of relevant laws, regulations and policies governing vendor or supplier relationships, including permissible business courtesies or gratuities, and the penalties for violating them.

Summary

Patient safety is a critical aspect of health care delivery. Health care facilities have an obligation to provide a safe environment in accordance with their ethical commitment to quality patient care. The impetus to adopt systematic and pro-active approaches for improving patient safety and reducing medical errors is increasing. Government agencies, such as HHS OIG and CMS, and industry associations such as AHA, have raised the profile on the importance of implementing distinct processes to improve quality of care and patient safety. Accreditation bodies such as JCAHO are also making formal patient safety and medical error reduction programs a part of accreditation requirements.

Patient safety is not an issue that can be addressed in isolation. Effective initiatives to improve patient safety are organization wide and multi-disciplinary. Accordingly, the health care compliance function has an important contribution to make to an organization’s efforts to improve patient safety and reduce medical errors. This contribution is consistent with the compliance function’s commitment to enhance quality of care through system oriented efforts to foster organizational cultures which support ethical and legal conduct. These best practice criteria seek to recognize some of the innovative and diverse ways health care compliance can assist in the enhancement of patient safety and quality of care.

It is important to note that the establishment of formal patient safety programs in most health care organizations is a relatively new phenomenon. As such, the exact involvement of the compliance function in these initiatives is still evolving. It is anticipated that these current best practice criteria will change as the role of the compliance function in patient safety programs becomes more defined with time.

Definition

Effective efforts to improve patient safety and reduce medical errors depend on integrated, organization-wide initiatives that are strongly and visibly supported by leadership. The emphasis should be on developing a culture of safety where the focus is on improving systems rather than blaming individuals. Processes and internal control systems should be established to both prevent and detect medical errors. All areas and functions of the health care organization have a role to play in enhancing patient safety.

Achievement to Warrant Finding of Best Practice

The “Best Practice” criteria below describe the type of contribution a compliance officer could make to their organization’s efforts to improve patient safety. These criteria will be used for evaluation of nominations in this area.

Please note: These criteria are not intended to suggest that the compliance officer should have primary responsibility for overseeing the organization’s patient safety program or initiative. However, they do recognize that the expertise, skills and experiential knowledge developed while undertaking the compliance role are aligned to those required to establish an effective patient safety and medical error reduction program. Notably, effective compliance efforts and patient safety efforts share the following commonalities: (1) a strong system oriented approach; (2) mission driven and values-based; (3) promote and improve quality of care; (4) require strong, visible leadership support and appropriate governance structures; (5) need to be integrated within an organization and become part of the organizational culture; (6) should be supported by appropriate policies, procedures and mechanisms for reporting and disclosures of sensitive information, etc. These commonalities mean that the compliance officer is uniquely placed to make a useful contribution to their organization’s efforts to improve patient safety and reduce medical errors.

Compliance Officer Role

The compliance officer should:

• Be a member of the organization’s patient safety committee. The committee should be multi-disciplinary and include representation from senior management, and key functional areas including compliance, quality, risk management, medical, nursing and maintenance;

• Contribute to the development of the organization’s strategic plan to improve patient safety and reduce medical errors;

• Provide guidance or assist in the development and implementation of appropriate systems and internal controls to prevent and detect medical errors and patient safety problems, including development of performance measures, analysis of outcomes and implementation of remedial actions;

• Emphasize the links between patient safety efforts and the organization’s compliance efforts (e.g., emphasize the common goals to improve quality of care);

• Promote patient safety and medical error reduction as a part of compliance-related education initiatives and compliance-related communications including newsletters, posters and web pages;

• Assist in the development of an organizational reporting mechanism for patient safety concerns and medical errors. This should include guidance on related policies and procedures such as non-retaliation policies, reporting requirements (internal and external), disclosure of issues to patients and families, and handling of sensitive disclosures by medical staff (especially those which may impact on licensure or credentials), and investigations following reports. It may be appropriate to utilize some of the pre-existing compliance policies and procedures in this area, for example, a consistent non-retaliation policy that applies to use of all reporting mechanisms is preferable. In some cases the pre-existing compliance reporting mechanism (e.g., hotline) may also be used for patient safety reports, and in these cases, relevant policies and procedures should be amended accordingly;

• Support leadership and governance efforts to promote the enhancement of patient safety;

• Support and promote the sharing of information and beneficial practices related to patient safety and medical error reduction;

• Provide oversight to assure compliance with applicable patient safety and medical error reduction regulations, laws and standards, including requirements of government agencies and accreditation bodies. The compliance officer should be prepared to provide oversight and correction in any case in which normal organizational processes (e.g., line of command or incident reporting processes) have failed;

• Include patient safety and medical error reduction issues as part of routine compliance audits and compliance risk assessments;

• Ensure that in teaching institutions the patient safety and medical error reduction program/initiative addresses activities of medical students; and

• Ensure that patient safety and quality of care issues (considered as part of medical appointment and re-appointments.)

Summary:

As various date-effective milestones have passed in the HIPAA Privacy, Administrative Simplification and Security Regulations, we wonder how reality compares with prognostication. Implementation of these regulations are important both for demonstrating compliance with substantial federal requirements (that carry financial penalties) and enhancing industry safeguards for the confidential information obtained and used in the patient care process. The regulations called for improvement and development of several rigorous systems that may not have existed prior. This best practice recognition will identify candidates that have implemented, operationalized and evaluated one or more such systems.

Definition:

Policies and procedures, communication and training and implementation are all elements of a successful response to the many and varied HIPAA requirements. Some examples of elements we wish to learn about are:

• Implementation and tracking of Privacy Disclosure Notifications
• Implementation and tracking of Disclosures not Requiring Authorization
• Breach reporting, investigation and Outcomes
• Disciplinary criteria, application and monitoring

Achievement to Warrant Finding of Best Practice 

In evaluating whether a program has achieved a “Best Practice” in this element, look for the evidence meeting the following criteria:

1. Policies and procedures

Written policies should be in place that establish at a minimum:

• Acceptable practices relative to the use and disclosure of personal health Information

• Definitions that are specific as to scope and responsibility

• Mechanisms in place to achieve acceptable practice

• Identification of responsible parties

2. Documentation

• Training and communication materials

• Record keeping documenting completion by affected staff

• Evaluation of training effectiveness

3. Role of the Compliance Officer

• Audit and monitoring activities

• Reporting structures and activities to management

• Sanctions and disciplinary processes associated with HIPAA violations

• Has the organization identified Privacy/ Security officer and what is the relationship to the Compliance function

4. The HIPAA Security Regulations require a covered entity to implement security measures and solutions that are reasonable and appropriate for the organization. We would be interested in learning of best practices related to the administrative, physical and technical safeguards outlined in the Security Regulations, such as:

• Risk analysis

• Unique security awareness and training techniques

• Access control and validation procedures

• Device and media controls

• Emergency access procedures

• Audit controls and review of audit reports: What kind of data is being gathered and how often audit reports are being reviewed.

Summary:

Achievement in a Part D prescription drug plan (PDP) compliance program assures a disciplined approach to compliance with the applicable laws and regulations and to the implementation of an effective program to detect, correct, and prevent fraud, abuse, and waste. An effective PDP compliance program will make effective use of the organization’s existing compliance and fraud and abuse programs. Particularly important is the integration of audit and internal controls with ethics and compliance.

Definition:

An effective PDP compliance program requires establishment of policies and procedures to implement Part D requirements, effective training of employees, directors, and subcontractors, and a robust program to detect, correct, and prevent fraud, abuse, and waste.

Achievement to Warrant Finding of Best Practice

In evaluating whether a program has achieved a “Best Practice” in this element, look for the existence of the following criteria:

1. Policies and Procedures

There should be written policies and procedures that:

• Address the major components of a Part D program (PDP), including:

a. Benefit design, including the pharmacy and therapeutics committee, utilization management standards, quality assurance and patient safety, medication therapy management, and electronic prescriptions.

b. Pharmacy access, including retail pharmacies, out-of-network access, mail order, home infusion, and Indian Health Service, Indian Tribe and Tribal Organizations, and Urban Indian Organization I/T/U pharmacies.

c. Enrollment and eligibility, including special enrollment periods, retroactive enrollment, disenrollment (voluntary and involuntary).

d. Grievances, including expedited reviews and member materials.

e. Exceptions and appeals, including expedited appeals, levels of review, notice of adverse determinations, and member materials.

f. Coordination of benefits, including user fees.

g. Tracking Out-of-Pocket Costs (TrOOP), including monthly reports to members, member access via phone, and status at disenrollment.

h. Marketing and beneficiary communications, including legal and business reviews and oversight of marketing materials, enrollee information, call center operation, web access, and EOBs.

i. Provider communications.

j. Reporting requirements, including significant business transactions, claims data, discounts and rebates, UM data, appeals, medication therapy management data, pricing and pharmacy network information, and conflict of interests.

k. Data exchange with CMS, including monthly enrollment, disenrollment, and change transactions and enrollment/payment reconciliations.

l. Privacy, including disclosure to beneficiaries of PHI policies.

m. Security and record retention.

n. Claims processing, including in-network and out-of-network claims, mail order claims, claims data retention, audit trails, handling of overpayments / underpayments, etc.

• Define the Compliance Program. These policies and procedures establish:

a. The PDP’s cooperation and coordination with CMS and the organizations designated by CMS, including Medicare Drug Integrity Contractors (MEDICs), responsible for assisting PDPs with detection, correction, and prevention of fraud, abuse, and waste.

b. The PDP’s commitment to detect, correct, and prevent fraud, abuse, and waste (FAW). Policies and procedures will:

i. Require written standards of conduct to be distributed to employees at time of hire, to subcontractors at time of contract, when standards are updated, and annually thereafter. As a condition of employment, employees must certify that they have read and will comply with the standards.

ii. Require employees and subcontractors sign statement related to conflict of interests at time of hire or contract and annually thereafter.

iii. Require the PDP to review exclusion lists periodically to ensure that employees and subcontractors are not on such lists and that the appropriate employment and contracting actions are taken for employees or contractors appearing on such lists.

iv. Describe how overpayments in the network are identified and repayments made to CMS.

v. Describe how the PDP identifies FAW in the network and reports incidents as appropriate, internally and/or externally, for investigation.

vi. Describe how the PDP coordinates and cooperates with CMS, organizations designated by CMS, and law enforcement agencies in conducting audits and investigations.

vii. Describe how the PDP performs data requests for CMS, organizations designated by CMS, and law enforcement agencies.

viii. Describe how the PDP will maintain records for 10 years as required in the Federal Regulation.

ix. Describe how the PDP will ensure full disclosure of pricing decisions including clear guidance on how all decisions are to be documented. This includes the steps that will be followed to prevent receipt or provision of benefits on commercial business in consideration of Part D formulary decisions.

x. Describe how the PDP will maintain a commitment to legal and ethical P&T Committee decisions and formulary decisions.

c. Accountability of the PDP’s Compliance Officer and Compliance Committee for the PDP’s FAW and overall compliance plan.

d. An effective training and education program related to detection, correction, and prevention of FAW and compliance with the laws and regulations governing the PDP.

i. Training will include directors, compliance officer, compliance committee, employees, subcontractors, and agents.

ii. Content of training will be aligned with CMS requirements and the specific requirements and needs of the PDP.

e. Effective lines of communication between the compliance officer and employees, subcontractors, agents, directors, and members of the compliance committee. Effective communication requires:

i. Hotlines for employees, subcontractors, and beneficiaries to report suspected FAW and other potential violations of laws and regulations and the PDP’s written standards of conduct.

ii. Prompt initiation of investigations in response to hotline inquiries and reports.

iii. Centralized systems to track inquiries, reports, and corrective actions.

iv. Procedures to ensure honest, effective, and efficient relationships with CMS, organizations designated by CMS, and law enforcement.

f. Promotion of FAW and other PDP standards through well-publicized disciplinary guidelines.

g. Effective internal monitoring and auditing of FAW and compliance with other laws and regulations. The monitoring and auditing should be based on priorities established by the PDP’s risk assessment system.

h. Ensure prompt responses to FAW and other compliance issues and develop corrective action initiatives relating to such offenses. Policies and procedures should address self-reporting of FAW.

• Orderly and robust processes for completing and verifying certifications and attestations.

• Frequent, risk-based monitoring and oversight of delegated entities.

2. Documentary Evidence
There should be written evidence, reflecting enterprise-wide engagement, of the following:

• Policies and procedures address the major components of the PDP as defined in the regulations.

• The distribution of written standards of conduct to the appropriate audiences and the timely completion of certifications.

• Timely distribution and completion of conflict of interests statements.

• Timely reviews of exclusion lists.

• Appropriate identification and repayment of overpayments.

• Appropriate initiation of FAW investigations, and timely and appropriate reporting of incidents.

• Coordination and cooperation with CMS, organizations designated by CMS, and law enforcement agencies in conducting audits and investigations.

• Timely and accurate completion of data requests by CMS, organizations designated by CMS, and law enforcement agencies.

• Maintenance of records.

• Full disclosure of pricing decisions.

• Documentation of P&T Committee decisions and formulary decisions demonstrating legal and ethical decision-making.

• Training and communication with all appropriate constituencies. Training documentation should demonstrate both content and attendance.

• Effective implementation of the hotline, as demonstrated by promptness and thoroughness of investigations.

• Communication of disciplinary standards to the appropriate audiences.

• Appropriate coordination / integration of the compliance and fraud (SIU) functions, such that:

a. Risks are prioritized based on a risk assessment system

b. Audits and monitoring activities are conducted in priority areas.

c. Corrective actions are prompt and thorough.

• Accuracy and completeness of certifications and attestations.

• Robust monitoring of activities carried out by delegated entities.

3. Role of Compliance Function
The Compliance/Integrity Officer should be able to demonstrate that:

• The organization has developed and communicated written standards of conduct.

• The organization has effectively conducted training in the written standards of conduct, including identification, correction, and prevent of FAW, and the disciplinary actions that will occur for failure to comply with such standards.

• There are effective communications with employees, subcontractors, agents and with the compliance committee and directors, so that reports of potential FAW and other compliance issues are encouraged, appropriately investigated, and promptly reported.

• Exclusions lists are reviewed periodically.

• Compliance risk is appropriately assessed, prioritized, and managed. The auditing/monitoring program of the PDP is driven by the risk priorities.

• The PDP devotes sufficient budget and human resources to compliance.

• Appropriate disciplinary and contractual actions have occurred as a result of violations.

• The compliance program is assessed periodically and modified in light of FAW and other violations of laws, regulations, and written standards of conduct.

Summary

Nominations are accepted for any part of a health care compliance program that an organization considers as worthy of recognition. Organizations may elect to either nominate in an area where criteria have been defined, or nominate another aspect of their compliance program or approach. It is not necessary to meet all the standards listed in a sample criteria area to win a Best Practice Award.

Examples of additional compliance program areas and Best Practice Standards can be found in the Health Ethics Trust’s Best Practice Standards for Compliance Programs 2014: A Manual for Compliance Professionals.