Compliance Mapping Tool Across Healthcare Federal Regulatory Guidelines

Policies should be developed to address high risk areas that may cause Fraud, Waste and Abuse and False Claims.
"through written policies and procedures, entities can provide a roadmap for relevant individuals, outlining their duties within the organization, developing workflow management, imposing documentation requirements, defining individual and organizational oversight roles, and implementing controls entity-wide to mitigate compliance risks specific to the entity."
"Compliance policies and procedures should encompass at least two areas: (1) the implementation and operation of the entity’s compliance program, including the seven elements discussed in this section; and (2) processes to reduce risks caused by noncompliance with Federal and State laws."

Specific call out for an exclusion screening policy.

The Code of Conduct should be included in the library of compliance policies.

Policies should be reviewed at least annually to reflect any modifications to applicable statutes, regulations, and Federal health care program requirements.

Recommends developing policies for emerging risk areas such as technology, specifically calls out Artificial Intelligence ("AI"). In addition, calls out incorporating lessons learned in policies.
Also points out the Code of Conduct should be included in the library of compliance policies.

"prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations."

Polices and Procedures are assessed on Design, Comprehensiveness, Accessibility, Responsibility for Operational Integration, and Gatekeepers.

"Does the company have an anti-retaliation policy?"

"How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices?"

"Organizations shall establish standards and procedures to prevent and detect misconduct."

Emphasis on sponsors having policies to demonstrate noncompliance is addressed in a timely, consistent and efficient manner. Requirement for sponsor to distribute policies to the workforce within 90 days of hire. FDRs must attest they comply with the sponsor's policies or show they have policies equivalent to those of the sponsor.

References to specific policies include:
-Develop a system to evaluate the consistent application of internal policies and assessment tools that determine resident admission decisions. A consistent application of clear admissions standards and facility policies will help facilities provide appropriate, high-quality, comprehensive, person-centered, and interdisciplinary, team-based care;
-Policies and procedures to minimize the potential for conflicts of interest related to pharmaceutical decisions which clearly state all prescribing decisions must be based on the best interests of the individual resident; and drug switches may only be made upon authorization of an attending physician, medical director, or other licensed prescriber (except in certain limited circumstances);
-Develop and implement written policies and procedures to prohibit and prevent the mistreatment, neglect, and abuse of residents; and
-Policies which address billing compliance with SNF Prospective Payment System requirements.

Compliance oversight role should be independent of any operational role in the organization. It is recommended the compliance officer report to the CEO and not the legal function. There should be adequate access to senior leadership and the Board.

"A key indicator of the board and senior leadership’s commitment to compliance is the appointment and support of a compliance officer who has the authority, stature, access, and resources necessary to lead an effective and successful compliance program."
"the compliance officer should not be responsible, either directly or indirectly, for the delivery of health care items and services or billing, coding, or claim submission. In addition, involvement in functions such as contracting, medical review, or administrative appeals present potential conflicts. Whenever possible, the compliance officer’s sole responsibility should be compliance."

"The compliance officer should:
♦ report either to the CEO with direct and independent access to the board57 or to the board directly;
♦ have sufficient stature within the entity to interact as an equal of other senior leaders of the entity;
Senior Leadership
For the purposes of the GCPG, “senior leadership” means the group of leaders who report directly to the executive leading the entity, usually the CEO. Some entities refer to this group by other names, such as executive leadership
♦ demonstrate unimpeachable integrity, good judgment, assertiveness, an approachable demeanor, and the ability to elicit the respect and trust of entity employees; and
♦ have sufficient funding, resources, and staff to operate a compliance program capable of identifying, preventing, mitigating, and remediating the entity’s compliance risks."

"The compliance officer should have the authority to review all documents, data, and other information that are relevant to the organization’s compliance activities."

Those in charge of compliance oversight should have adequate authority and stature in the organization. DOJ evaluates whether the compliance program is run by a designated compliance officer or another executive in the organization. In addition, they will also evaluate if the individual in charge of compliance has additional roles and responsibilities.

"To whom does the compliance function report? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company?"

"Prosecutors should also evaluate “[t]he resources the company has dedicated to compliance,” “[t]he quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk,”

"if a compliance program is to be truly effective, compliance personnel must be empowered within the company"

The compliance program should be overseen by high-level personnel who will be assigned for responsibility for the compliance program.

CMS strongly recommends a dedicated Medicare compliance officer, although it is not required. Otherwise, the compliance officer should have extensive knowledge of Medicare. The compliance officer should be independent and not serve in both compliance and operational roles.

Nursing facilities should consider recruiting a compliance officer with sufficient experience with managing compliance programs and involvement with quality assurance efforts centered on quality of care, quality of life, and resident safety. Individuals with both compliance and quality assurance experience are better positioned to monitor and address compliance with regulations and Federal health care program requirements, adherence to professionally recognized standards of care, and remedial efforts to address noncompliance or failures of care.

"For nursing facilities that are part of a system or chain, responsibility for corporate compliance should be assigned to a compliance officer at the highest level of a corporation or management organization who should develop, implement, support, and monitor compliance and quality programs to ensure a systematic and consistent approach to compliance and quality oversight."

Individual nursing facilities that are independent and not owned or operated by a corporate or management entity should ensure that responsibility for corporate compliance rests with a facility-level compliance officer who reports directly to the owner, governing body, CEO, or some combination.

States compliance departments should have sufficient funding, resources, and staff to operate a compliance program capable of identifying, preventing, mitigating, and remediating the entity’s compliance risks.

"The Compliance Officer should have sufficient funding, resources, and staff to operate a compliance program capable of identifying, preventing, mitigating, and remediating the entity’s compliance risks."

"A large organization will likely need a department of compliance personnel with a variety of skills and expertise to implement and monitor the organization’s compliance program and address its manifold compliance needs."

Some compliance officers have the dual role of a privacy officer. In that case, OIG recommends that the entity ensure that the compliance officer has sufficient staff and resources to perform the additional duties associated with that expanded role.

"The Compliance Committee also should ensure that the compliance officer has the capacity to perform or oversee additional audits based on risks identified throughout the year"

Sufficient staffing and funds for compliance personnel to effectively audit, document, analyze, and act on the results of the compliance efforts will be evaluated. In addition, whether compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions will also be reviewed.

"Does the company deploy its compliance resources in a risk-based manner, with greater scrutiny applied to greater areas of risk?"

"To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority."

A large organization generally should devote more formal operations and greater resources in meeting the requirements of this guideline than shall a small organization.

The CEO and senior management should ensure that the compliance officer is integrated into the organization and is given the credibility, authority and resources necessary to operate a robust and effective compliance program.

Specifically mentions a compliance committee to oversee the compliance program and support the compliance officer. The committee should include senior executives from various operational functions. The compliance officer should chair the committee and should meet at least quarterly. Tasks of this group include reviewing and mitigating risk, reviewing and approving the work plan and approving compliance training.

Member attendance, active participation, and contributions should be included in each member’s performance plan and compensation evaluation.

"The Compliance Committee’s Primary Duties should include:
♦ analyzing the legal and regulatory requirements applicable to the entity;
♦ assessing, developing, and regularly reviewing policies and procedures;
♦ monitoring and recommending internal systems and controls;
♦ assessing education and training needs and effectiveness, and regularly reviewing required training;
♦ developing a disclosure program and promoting compliance reporting;
♦ assessing effectiveness of the disclosure program and other reporting mechanisms;
♦ conducting annual risk assessments;
♦ developing the compliance workplan;
♦ evaluating the effectiveness of the compliance workplan and any action plans for risk remediation; and
♦ evaluating the effectiveness of the compliance program."

The actions of senior leaders and middle-management stakeholders (e.g., business and operational managers, finance, procurement, legal, human resources) have taken to demonstrate their commitment to compliance or compliance personnel, including their remediation efforts should be evaluated to determine the level of commitment to compliance.

Those responsible for compliance should have "sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee."

Individuals with operational responsibility should periodically report to high-level personnel and the governing authority, however, no specific tasks are mentioned.

Sponsors must have a compliance committee whose duties include review of Medicare compliance issues. The committee is accountable to the Board. The compliance committee should include individuals with a variety of backgrounds, and members should have decision-making authority in their respective areas of expertise. The committee should meet quarterly and tasks include developing strategies to promote compliance and the detection of any potential violations, reviewing effectiveness of the system of internal controls designed to ensure
compliance with Medicare regulations in daily operations and approving compliance training.

Compliance committees should support compliance and clinical leadership in developing, implementing, and maintaining strong lines of communication and information exchange through regular reviews of facility-wide or chain-wide (as applicable) compliance, quality, and safety data. Nursing facilities should consider coordinating the compliance committee’s work with the facility’s Quality program.

The Governing Board has oversight of the Compliance Committee and compliance officer. Specific call outs regarding engagement with the compliance program and providing access to the compliance officer to speak with the Board independently.

The Board should receive compliance training.

"Boards should pay attention to the Commission's Guidelines because federal courts consult when determining criminal sentences. Corporate boards also have a fiduciary duty of care, which requires that boards assure that “information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information to allow management and the board, each within its scope, to reach informed judgments concerning … the corporation’s compliance with the law . . . . ” In re Caremark, 698 A.2d 959, 970 (Del. Ch. 1996)."

The Board sets the tone for compliance in the organization. The compliance leader should have direct access to the Board. The types of information the board of directors reviews in their oversight of compliance.

Prosecutors should evaluate "[t]he authority and independence of the compliance function and the availability of compliance expertise to the board.”

"What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up?"

The governing authority should be knowledgeable about operation of the compliance program and have reasonable oversight with implementation and effectiveness of the program.

The individual with operational responsibility should periodically provide reports to this group on compliance program effectiveness.

The sponsor’s governing body must exercise reasonable oversight with implementation and effectiveness of the sponsor’s compliance program.

The governing body should be knowledgeable about compliance risks and strategies and be able to gauge effectiveness of the compliance program.

The governing body must receive training and education as to the structure and operation of the compliance program.

Responsible Individuals for oversight of compliance: governing body, their members, owners, investors, operators, and executive leadership.

Investors in the nursing facility sector should be actively questioning whether the operating and management companies in their investment portfolios are:
(1)complying with Federal health care program requirements and fraud and abuse laws;
(2) dedicating the necessary resources to the organization’s compliance and quality
programs;
(3) providing high quality care; and
(4) creating a safe and comfortable living environment for all residents.

Responsible individuals should regularly review and access:
• The facility’s compliance program, including, but not limited to, the performance of the compliance officer, administrator, director of nursing and compliance committee;
• The facility’s system of internal controls, quality assurance monitoring,
and resident care, including resident outcome data;
• The timeliness and thoroughness of the nursing facility’s responses to State, Federal, internal, and
external reports of quality of care and resident safety problems;
• The status of remedial efforts developed in response to identified problems; and
• The facility’s adoption and implementation of policies, procedures, and practices designed to comply with Federal health care program requirements, regulations, and professionally recognized standards of resident care.

All levels of the organization should receive annual training with role specific training for high-risk areas such as finance, billing, coding and sales. The Compliance Committee and Board should receive training as well. Completion of training should be a condition of employment with consequences for noncompletion. Training completion should be reflected in employee performance evaluations.

"The annual training plan should incorporate material addressing any concerns identified in audits and investigations. The Compliance Committee should review the training plan at least annually to ensure that compliance training topics and materials address current needs, including any issues identified through monitoring and auditing and changes to Federal and State health care requirements."

"Specific topics should include, for example:
• the identity and role of the compliance officer;
• the role of the Compliance Committee;
• the importance of open communication with the compliance officer;
• the various ways individuals can raise compliance questions and concerns with the compliance officer;
• nonretaliation for disclosing or raising compliance concerns; and
• the means through which the entity enforces its written policies and procedures equitably and impartially."

An understanding of the laws applicable to the health care industry and the role of an effective compliance program is particularly important for investors that provide management services or a significant amount of operational oversight for and control in a health care entity.

Compliance training should be provided periodically with role specific training for high-risk areas such as finance, billing, coding and sales. The Compliance Committee and Board should receive training.

Topics should include lessons learned from any previous misconduct and related remediation efforts, emerging technologies such as Artificial Intelligence and mergers and acquisition activities.

Organizations will be evaluated on how the company
measures the effectiveness of the training and if the employees’ engagement with the training session and whether they have learned the covered subject matter have been evaluated. Organizations should address employees who fail all or a portion of the testing as well as the extent to which the training has an impact on employee behavior or operations.

"Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners."

Training is evaluated based on Risk-Based Training; Form/Content/Effectiveness of Training; Communications about Misconduct; and Availability of Guidance.

The organization should communicate periodically its standards and procedures to all levels of the organization, including the Board by conducting effective training programs and disseminating information appropriate to individuals' respective roles and responsibilities. In addition, training should be designed based on the size and availability of resources to the organization.

Requirement for sponsors to provide annual effective training and education for its employees, including the governing body, and FDRs.

Sponsors must provide the FWA training directly to their FDRs or provide appropriate FWA training materials to their FDRs. Sponsors must be able to demonstrate that their employees and FDRs have fulfilled these training requirements as applicable.

Training should address the compliance program, including the Code of Conduct and the sponsors commitment to compliance with Medicare program requirements; applicable laws such as AKS and FCA; how to report suspected compliance issues and non-retaliation for reporting; and examples of reportable noncompliance an employee may observe.

Sponsors must educate their enrollees about identification and reporting of potential FWA. Education methods may include flyers, letters, pamphlets that can be included in mailings to enrollees (such as enrollment packages, Explanation of Benefits (“EOB”), and information published on sponsor websites (especially on enrollee links).

The compliance officer and compliance committee should regularly assess the competency and training needs within the facility and work together to develop a training needs assessment and training plan. If there is high turnover of staff in the facility or frequent changes in resident needs, this regular assessment will be important to continually provide education to meet the needs of residents.

It is recommended feedback be solicited from facility staff regarding training needs and reactions to completed training. Post-training job performance should also be evaluated to determine the overall impact and effectiveness of training.

Nursing facilities should also regularly consider whether training remains dynamic (not exclusively online and computer-based) and provides staff with the ability to demonstrate skills that are covered in training modules.

Training should be developed and provided in response to identified instances of noncompliance.
New employees should comprehensive training as soon as possible after being hired.
Appropriate training for temporary employees should be provided by a facility before they are assigned responsibility for resident care.

Educational opportunities should also be extended to physicians, independent contractors, and significant vendors.

Employees should be encourage to bring questions or issues to the compliance officer. There should be a method to report concerns anonymously without fear of retaliation. This method should be well publicized. All reports should be maintained in a log. There should be a non-retaliation policy in place.

"The Compliance Committee should ensure that the entity does not deter individuals from coming forward with compliance concerns by, for example, requesting or requiring that personnel first bring such concerns to their manager or supervisor before contacting the compliance officer."

"All disclosures of compliance concerns, including potential violations of entity policies or Federal or State requirements, should be recorded in a log maintained by the compliance officer or their designee."

"The disclosure log should include pertinent information regarding each disclosure, such as the date received, the individual or department responsible for review, a description of the investigation’s findings, any corrective actions taken, any policy or process changes made as a result of the investigation, the date resolved, and, if applicable, any resulting referral or disclosure to Federal or State authorities."

Organizations should have an anonymous reporting method that is publicized without fear of retaliation. Information from reporting methods should be tracked and analyzed to determine if there are patterns or trends of misconduct or other compliance issues. The hotline should be tested the tracking a report from start to finish.

Reporting mechanisms are assessed on Effectiveness of the Reporting Mechanism; Commitment to Whistleblower Protection and Anti=Retaliation; Properly Scoped Investigations by Qualified Personnel; Investigation Response; and Resources and Tracking of Results.

Organizations should have a publicized system which includes anonymous reporting where employees and agents may report or seek guidance regarding an actual or potential issue without fear of retaliation.

Sponsors must have an anonymous option for employees and FDRs to report concerns. FDRs must have an anonymous reporting method as well. These methods must be well publicized.

Sponsors must have a system to receive and track reports. Both the sponsor and FDR must have a policy in place to address non-retaliation.

As a part of a resident safety program, OIG recommends a confidential reporting mechanism that is publicized to staff, contractors, residents, family members, guardians and visitors in multiple ways to enable the confidential reporting—without fear of retaliation- of any threats, abuse, mistreatment, and other safety concerns directly to senior facility staff who have the authority to take immediate corrective action.

Ensure effective communication systems to facilitate the immediate reporting of resident harm to a facility administrator and other officials, including the State Survey Agency, as required by law.

Educate residents about how to self-report mistreatment by other residents or staff, encourage reporting, and regularly assess residents’ comprehension of those reporting systems.

Incentives for compliant behavior should also be established to encourage participation in the compliance program and reward compliant behavior. In addition, the compliance officer and compliance committee should dedicate time, energy and creativity to the activities and behaviors the company would like to incentivize.

"Other behavior that entities may want to incentivize could include:
• the achievement of compliance goals that are specific to a department or a specific position description;
• achievements that reduce compliance risk (e.g., a team that develops a process that reduces compliance risk or enhances compliant outcomes, or an individual who suggests a method of attaining a strategic goal with less risk); or
• performance of compliance activities outside of the individual’s job description (e.g., mentoring of colleagues in compliant performance or performing as a compliance representative within their department or team)."

States organizations will be evaluated on if a comprehensive compliance program including incentives exists.

"Does the company encourage and incentivize reporting of potential misconduct or violation of company policy?"

"At the same time, providing positive incentives, such as promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership, can drive compliance."

States compliance should be promoted and enforced through the use of incentives.

Appropriate consequences should be established for instances of non-compliance and should match the violation, being fair and equitable. Discipline should be applied consistently throughout the organization. There should be written, well-publicized procedures for identifying, investigating and remediating actions that do not comply with Federal or State laws and regulations and internal standards and conduct.

"The compliance officer should monitor investigations and resulting discipline to ensure consistency. Managers and supervisors should be made aware that they have a responsibility to impose consequences for noncompliant behavior in an appropriate and consistent manner."

Discipline should be fair and consistently applied throughout the organization. Management with oversight into the areas where a compliance violation occurred should also receive consequences. Discipline should be clearly communicated. It is recommended compliance measure the effectiveness of consequence management in mitigating future instances of misconduct.

"Prosecutors should assess whether the company has clear consequence management procedures (procedures to identify, investigate, discipline, and remediate violations of law, regulation, or policy) in place, enforces them consistently across the organization, and ensures that the procedures are commensurate with the violations."

"Prosecutors may also consider whether a company is tracking data relating to disciplinary actions to measure effectiveness of the investigation and consequence management functions. This can include monitoring the number of compliance-related allegations that are substantiated, the average (and outlier) times to complete a compliance investigation, and the effectiveness and consistency of disciplinary measures across the levels, geographies, units, or departments of an organization."

States companies should ensure adequate discipline is enforced for offenses based on the individual specifics of the case and for failing to take steps to prevent or detect misconduct.

Sponsors must have well publicized policies and procedures that demonstrate to CMS that disciplinary standards are enforced fairly and consistently.

Recommend a best practice to de-identify disciplinary action taken in communication to employees to demonstrate that discipline is imposed for violations.

This should be a formal process to pull information about risks from a variety of external and internal sources, evaluate and prioritize them and decide which risks to address and how to address them. The Compliance Committee should be responsible for conducting and implementing the compliance risk assessment.

Compliance, audit, quality and risk management functions may coordinate to conduct a joint risk assessment to reduce potential redundancy and maximize the use of entity resources. Compliance should continue to look for unidentified or new risks due to enforcement actions, new laws and regulations.

"Periodic compliance risk assessments should be a component of an entity’s compliance program and should be conducted at least annually."

"Although conducting formal risk assessments may be new to many compliance programs, risk assessments are an integral part of the fiscal internal control process and to enterprise risk management, and are required for recipients of federal awards."

"Between compliance risk assessments, the compliance officer should continue to scan for unidentified or new risks, by, for example, monitoring for legal and regulatory changes, enforcement actions and OIG work plan developments, and new entity acquisitions, strategies, or initiatives, and evaluating audits and investigation results."

Organizations should be able to demonstrate how they have identified, assessed and defined risk including how to mitigate the risk.

The assessment should include current, relevant risks as well as emerging risks, both internally and externally, as circumstances impacting the organization's risks evolve.

A risk assessment should be conducted regarding the use of new and emerging technology and mitigate risks in using the technology, should include lessons learned from previous issues or similar issues in the industry and should include vendor risk management.

The assessment should be reviewed periodically for continued relevance.

"Prosecutors should also consider “[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment” and whether its criteria are “periodically updated.”

The organization should periodically assess the risk of criminal conduct and take appropriate steps to design, implement or modify the risks to reduce the risk of criminal conduct.

These assessments should include the likelihood that criminal conduct may occur due to the nature of the organization’s business. If there is substantial risk identified, reasonable steps should be taken to prevent and detect criminal conduct.

Sponsors must conduct a formal assessment of the organization’s compliance and FWA risk areas, ranking risks with the highest having the greatest impact on the sponsor. When a sponsor has a large number of first tier entities, making it impractical and/or cost prohibitive to monitor or audit all first tier entities for all compliance program requirements, the sponsor may perform a risk
assessment to identify its highest risk first tier entities, then select a reasonable number of first tier entities to audit from the highest risk groups.

The sponsor’s assessment must take into account all Medicare business operational areas and each must be assessed for the types and levels of risks the area presents to the Medicare program and to the sponsor. Factors that sponsors may consider in determining the risks associated with each area include, but are not limited to, size of department, complexity of work, amount of training that has taken place and past compliance issues.

Areas of particular concern for Medicare Parts C and D sponsors include, but are not limited to, marketing and enrollment violations, agent/broker misrepresentation, selective marketing, enrollment/disenrollment noncompliance, credentialing, quality assessment, accuracy of claims processing, detection of potentially fraudulent claims, and FDR oversight and monitoring.

Periodic re-evaluation of the risk assessment and risk areas should be completed.

The ICPG identifies high risk areas for nursing facilities to include quality of care and quality of life, Medicare and Medicaid billing requirements, Anti-Kickback statute, Stark Law and HIPAA Privacy and Security. The OIG specifically mentions this list is not all inclusive of risks for nursing facilities.

Each facility should assess their specific risks and create monitoring and auditing activities based on those risks for the facility.

“Because the risk areas and recommendations in the Nursing Facility ICPG are not exhaustive, nursing facilities should closely review the GCPG and the Nursing Facility ICPG in light of their own organizations’ risk profile as they work to implement, evaluate, and update compliance program operations.”

The Compliance Committee should schedule audits in the work plan based on the annual risk assessment. The work plan should contain routine monitoring activities of ongoing risks such as annual review of policies and exclusion screenings.

The Compliance Committee should ensure the CCO has the capacity to perform and oversee the audits, especially if a systemic issue should arise.

Entities should periodically assess their compliance program’s effectiveness.

"The compliance work plan also should contain routine monitoring of ongoing risks, plus the capacity to monitor the effectiveness of controls and risk remediation. Examples of routine monitoring of known risks include:
• monthly screening of the LEIE and State Medicaid exclusion lists;
• regular screening of State licensure and certification databases; and
• annual review of the entity’s policies and procedures.

Entities may identify other areas appropriate for routine monitoring based on their risk assessment and their interaction with the Federal health care programs, such as high-value billing codes, medical record documentation, medical necessity of admission, or business-need justifications for contracts with referral sources. Short-term monitoring is useful for determining the effectiveness of risk remediation."

The compliance program should be based on the risk assessment and periodically updated. The organization should ensure there are controls in place to monitor new technologies such as AI, conduct periodic audits to ensure that controls are functioning well.

These audits should focus on monitoring and testing the technologies so whether they are functioning as intended and consistent with the company’s code of conduct can be evaluated. The organization should also monitor how quickly it can detect and correct decisions made by AI or other new technologies that are inconsistent with the company’s values.

It is recommended organizations survey employees to gauge the compliance culture and evaluate the strength of controls.

Entities should periodically assess their compliance program’s effectiveness.

Organizations should take steps to ensure its compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct. An example of this monitoring can include regular “walk arounds” or continuous observation while managing the organization.

The organization should prevent misconduct by assessing the compliance and ethics program and making modifications necessary to ensure the program is effective.

The results of the risk assessment inform the development of the monitoring and auditing work plan. Sponsors must establish and implement an effective system for routine monitoring. The system should include internal monitoring and audits and, as appropriate, external audits, to evaluate the sponsor’s, including FDRs’, compliance with CMS requirements and the overall effectiveness of the compliance program.

Sponsors should conduct independent audits or review the FDR’s monitoring and auditing reports.

The Sponsor’s CEO must receive periodic reports from the compliance officer regarding the risk areas facing the organization and strategies being implemented to mitigate those risks.

Sponsors (oversight and execution is the responsibility of the compliance officer) must develop a monitoring and auditing work plan and conduct monitoring and auditing activities to confirm compliance with Medicare regs and all applicable Federal and State laws.

To mitigate quality of care risk, facilities should evaluate staffing levels and competencies of staff, resident care plans to include resident activities, high resident acuity levels and behavioral health issues, medication management and resident safety to include emergency preparedness, staff screening and abuse and neglect.

To mitigate billing risks, organizations should evaluate claim preparation and submission under the SNF PPS, requirements of value-based payment models, Medicare Advantage and Managed Medicare plans, Medicare Part D and educating residents about Medicare Health Plan enrollment.

To mitigate risks related to the AKS, arrangements should be within the exceptions or safe harbors to avoid implicating the AKS in terms of free services, discounts, arrangements should ensure there is a legitimate need for the services or supplies under the arrangement. The arrangement should be documented in a contract and payment and terms should be regularly monitored.

OIG mentions risks related to related-party transactions specifically with real estate transactions and outsourcing of administrative or management services both with payments higher than fair market value. To mitigate these risks, facilities should routinely audit financial data to ensure reporting adheres to Federal regulations and ensure transactions are FMV, comparable or greater quality than services provided by entities that are not commonly owned and chosen based on the need of the residents and not solely on the profit interests of owners and/or investors.

To mitigate risks associated with the Physician Self-Referral Law (PSL), facilities should ensure that all financial relationships with physicians satisfy all requirements of an applicable PSL exception.

The ICPG mentions facilities must accept the applicable Medicare or Medicaid payment for covered items and services as the complete payment. Facilities cannot charge a Medicare or Medicaid enrollee any additional amount to what is otherwise required to be paid for the items and services under the Federal Health program.

Investigations should be prompt and thorough. The compliance officer should notify relevant leaders and coordinate with internal legal counsel as needed upon receipt of report. A record of the investigation should be maintained to include documentation of the violation, investigation process, interview notes and key documents, log of witnesses interviewed, results of the investigation and disciplinary or corrective action taken.

The compliance officer or counsel should take appropriate steps to secure or prevent the destruction of documents or other evidence relevant to the investigation. Based on the potential scope and severity of the suspected violation and the necessary investigative tasks, entities should consider whether they need to engage external counsel, auditors, or health care experts to aid with the investigation. If counsel or the compliance officer believes the integrity of the investigation may be at stake because of the presence of employees under investigation, those subjects should be removed from their current work activity until the investigation is completed (unless an internal or Government-led undercover operation is in effect).

"The compliance officer also should have the authority to interview anyone within or connected to the organization in connection with a compliance investigation, or designate an appropriate person to conduct such an interview."

"The disclosure log should include pertinent information regarding each disclosure, such as the date received, the individual or department responsible for review, a description of the investigation’s findings, any corrective actions taken, any policy or process changes made as a result of the investigation, the date resolved, and, if applicable, any resulting referral or disclosure to Federal or State authorities."

"Throughout an investigation of any noncompliant conduct the compliance officer should be gathering information to aid them in determining the root causes of the conduct."

"Even in the absence of a formal disclosure program, small entities should have policies in place that ... outline a process for the investigation...."

Investigations should be appropriately scoped, independent, objective, and empowered to enforce policies and ethical values.

Entities should have a process for handling investigations to include routing to proper personnel, timely completion of thorough investigation and appropriate follow up and discipline. The process should include applying timing metrics to ensure responsiveness and have a process for monitoring the outcome of the investigation, ensuring accountability for the response to any findings.

If an entity demonstrates the compliance program identified misconduct, including time for remediation and self-reporting, the DOJ would view this as a strong indicator that the compliance program is working effectively.

"Prosecutors should also assess the company’s processes for handling investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and discipline."

"In assessing whether a company’s compliance program was effective at the time of the misconduct, prosecutors should consider whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts."

After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct.

Sponsors must establish and implement procedures and a system for promptly responding to compliance issues as they are raised, investigating potential compliance problems as identified in the course of self-evaluations and audits, correcting such problems promptly and thoroughly to reduce the potential for recurrence, and ensuring ongoing compliance with CMS requirements.

If the sponsor discovers evidence of misconduct related to payment or delivery of items or services under the contract, it must conduct a timely, reasonable inquiry into that conduct.

Sponsors are required to investigate potential FWA activity to make a determination whether potential FWA has occurred and must conclude investigations of potential FWA within a reasonable time period after the activity is discovered.

Sponsors should maintain files of previous investigations and complaints resulting in investigations.

The outcome of the investigation should determine whether and what kind of reporting to the government is needed. Prompt reporting demonstrates the entity’s good faith and willingness to work with the government to correct and remedy misconduct.

If there are material violations of laws where no monetary loss to a Federal health program of government entity has occurred, corrective action and reporting to CMS or state Medicaid is still necessary to protect the integrity of the program and the enrollees.

If credible misconduct is discovered, the entity should promptly (not more than 60 days after the determination that a violation exists) notify the appropriate government authority of the misconduct.

Some violations may warrant immediate notification to the government prior to or simultaneous with an internal investigation include clear violation of criminal law significant, adverse effect on patient safety or quality of care and evidence of a systemic failure to comply with applicable laws, an existing CIA or other standards of conduct, regardless of the financial impact on federal health care programs.

Once sufficient evidence of a violation is determined as to the nature of the misconduct, the entity should take prompt corrective action including refunding of overpayments, enforcing disciplinary policies and making any necessary changes to policy or procedure to prevent recurrence of the misconduct. A root cause analysis should be performed to identify what corrective actions or changes to policy should be taken to prevent future misconduct.

Overpayments to Medicare or state Medicaid must be refunded 60 days after identification.

Entities should undertake a root cause analysis to understand what led to the misconduct and the level of remediation needed to prevent recurrence. In conducting a root cause analysis, entities should evaluate if there were prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations and if any opportunities were missed.

Entities should assess what specific changes can be made to reduce the risk that the same or similar issues from occurring in the future.

If an entity demonstrates the compliance program identified misconduct, including time for remediation and self-reporting, the DOJ would view this as a strong indicator that the compliance program is working effectively.

"Prosecutors should also consider whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the underlying misconduct and the degree of remediation needed to prevent similar events in the future."

“to receive full credit for timely and appropriate remediation” under the FCPA Corporate Enforcement Policy, a company should demonstrate “a root cause analysis” and, where appropriate, “remediation to address the root causes.”

After criminal conduct has been detected, the organization shall take reasonable steps to prevent further similar criminal conduct, including making any necessary modifications to the organization's compliance and ethics program.

The compliance officer is responsible for development and implementation of corrective actions plans. These plans should be monitored to assess their effectiveness.

When corrective action is required by an FDR, the sponsor must ensure the corrective actions are taken by the entity. The sponsor is obligated to perform its own auditing of first tier entities. In creating a corrective action plan for an FDR, the sponsor must document the details of the corrective action plan in writing and consequences should the FDR fail to implement the corrective action satisfactorily.

The sponsor must conduct appropriate corrective actions (for example, repayment of overpayments, disciplinary actions against responsible individuals) in response to violations.

Where a sponsor discovers an incident of significant Medicare program noncompliance, the sponsor should report the incident to CMS as soon as possible after its discovery. This will enable CMS to provide guidance to the sponsor on mitigation of the harm caused by the incident of noncompliance. Self-reporting offers sponsors the opportunity to minimize the potential cost and disruption of a full scale audit and investigation, to negotiate a fair monetary settlement, and to potentially avoid an OIG permissive exclusion preventing the entity from doing business with Federal health care programs.

Mandatory Exclusions:
OIG is required by law to exclude from participation in all Federal health care programs individuals and entities convicted of certain types of criminal offenses, including: offenses related to the delivery of an item or service under Medicare or a State health care program; patient abuse or neglect; felony convictions for other health care-related fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct; and felony convictions relating to the unlawful manufacture, distribution, prescription, or dispensing of controlled substances.
Permissive Exclusions:
OIG has discretion to exclude individuals and entities on a number of grounds, including (but not limited to) misdemeanor convictions related to health care fraud not involving Medicare or a State health program; fraud in a program (other than a health care program) funded by any Federal, State, or local government agency; suspension, revocation, or surrender of a license to provide health care for reasons bearing on professional competence, professional performance, or financial integrity; submission of false or fraudulent claims to a Federal health care program; engaging in arrangements that violate the Federal anti-kickback statute; and defaulting on health education loan or scholarship obligations.

The effect of an OIG exclusion is that no Federal health care program payment may be made for any items or services furnished: (1) by an excluded person, or (2) at the medical direction or on the prescription of an excluded person. Payment for claims submitted to a Federal health care program for items or services furnished by an excluded individual or entity results in an overpayment, regardless of whether the excluded individual had a provider identification number and the ability to bill separately. To avoid overpayment and CMP liability, entities participating in Federal health care programs should check the LEIE before employing or contracting with individuals and entities, and periodically check the LEIE to determine the exclusion status of current employees and contractors.

OIG recommends that entities check employees, contractors, and other individuals or entities that provide items and services that may be paid for by the State Medicaid programs in which they participate against such State Medicaid program exclusion lists.

"The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program."

Sponsors must review the DHHS OIG List of Excluded Individuals and Entities (LEIE
list) and the GSA Excluded Parties Lists System (EPLS) prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member, or FDR, and monthly thereafter, to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs.

Sponsors are prohibited from using federal funds to pay for services, equipment or drugs prescribed or provided by a provider, supplier, employee or FDR excluded by the DHHS OIG or GSA.

In addition to OIG checking at hire and monthly thereafter, the ICPG recommends recruitment and screening practices to ensure that prospective and existing employees have the appropriate training, education and certification required to perform the job function.

Recommendation for the screening process includes a comprehensive criminal record check for each State in which the individual has worked or lived and license verification of licensure, as applicable. In addition, it is recommended that recurring background of non-licensed employees be conducted.

Mentioned in AKS description:
Potential conflicts of interest-it is important to determine if acceptance of the remuneration would diminish, or appear to diminish, the objectivity of professional judgment?

When developing audits to include in the work plan, CMS recommends audits to examine the performance of the compliance program, including a review of
conflict of interest disclosures/attestations, and sampling for evidence in
support of attestations, if the sponsor uses attestations to monitor compliance.

The ICPG discusses potential or actual conflicts of interest, for example, a facility's consultant pharmacist being affiliated with a drug company) could lead to risks of overprescribing or inappropriate prescribing.

To minimize the potential for conflicts of interest related to pharmaceutical decisions, it is recommended facilities:
-consider separate contracts for consultant pharmacist services and LTC pharmacy services;
-require pharmacists to disclose any affiliations they may have which could pose a conflict;
-ensure payment is FMV and does not take into consideration the volume or value of drugs prescribed
-implement policies that state all prescribing decisions must be based on the best interest of the resident; and
-monitor drug records for patterns that may indicate inappropriate drug switching, steering or overprescribing.

States the compliance officer should continually scan for unidentified or new risks, including new entity acquisitions. This risk should be assessed with the same methods used in the compliance risk assessment and, based on this evaluation, it can be determined how to address any risks associated with a merger or acquisition.

Compliance programs should include due diligence of any acquisitions or mergers to include a process for timely and orderly integration of the acquired entity into the existing compliance program. Failure to conduct pre or post acquisition due diligence and integration can result in harm to the profitability and reputation of a business as well as the risk of civil and criminal liability.

"How has the compliance function been integrated into the merger, acquisition, and integration process?"

Organizations must exercise due diligence to prevent and detect criminal conduct, to include acquisitions.