Compliance Perspectives

Posted by:  Adam Turteltaub Social media keeps evolving:  From MySpace to Facebook to Twitter to SnapChat to TikTok to whatever comes next.  One thing stays the same, though:  there are lots of compliance risk. In this podcast Kortney Nordrum, Regulatory Counsel and Chief Compliance Officer at Deluxe and author of the chapter “Social Media Compliance” in The Complete Compliance and Ethics Manual shares both the state of the regulatory landscape and practical advice on how to best manage the challenge. When it comes to regulators, several have weighed in, she reports. * The National Labor Relations Board (NLRB) has wavered back and forth on various issues but has consistently emphasized that employees may use social media, and employers cannot limit their activities so long as those activities do not have negative impacts on the reputation or credibility of the business. There are, however, a great number of nuances, including that griping about an employer is generally protected. * The Securities & Exchange Commission (SEC) is focused on ensuring that anyone who invests has access to company information at the same time. As we have all seen with Elon Musk’s ongoing battles with the SEC, they tend to frown on certain statements made on Twitter. * The Equal Employment Opportunity Commission (EEOC) has been consistent in its approach, warning that companies that do social media searches of their employees need to recognize that this may reveal an employee is a member of a protected class, and that information may not be used in a way that adversely affects the employee. For compliance teams it’s important to lay out social media policies using rules that are easy to understand.  The rules need to be reasonable, simple and use plain language.  An example may be, “Do not share confidential information,” with an explanation of what confidential information is. When working with the team that controls the organization’s social media account, have a separate policy for them since different issues likely apply.  Provide them with training and be prepared to serve as an ongoing resource eager to engage in conversation about what is good and bad practice. In short, social media and the related risks are here to stay.  In fact, you’re reading this on a form of social media.  So, it’s best to listen in and learn how to manage the risk.

Posted by:  Adam Turteltaub Even if Covid were to disappear tomorrow, it’s clear that things will long remain different, including how we work.   Many employees will never spend eight hours a day, five days a week in the office again. So how should compliance teams address the new work environment and ensure a culture of compliance?  That’s the subject of this podcast with Lisa Beth Lentini Walker (LinkedIn), CEO & Founder of Lumen Worldwide Endeavors and a member of the board of the Society of Corporate Compliance and Ethics & Health Care Compliance Association.  It’s also the subject of the chapter “Building Cultures of Integrity in Remote and Hybrid Environments” in the latest edition of The Complete Compliance and Ethics Manual. As Lisa Beth explains, even though we have grown accustomed to new ways of connecting online, it’s still not the same as being in the same physical environment with someone.  That’s a challenge, she reports, because there is an element of proximity bias in how we interact, preferring people that are closer to us.  This bias will require a conscious effort to avoid creating an “us-them” culture where those who are in the office differentiate themselves from those who aren’t. Preserving and strengthening a corporate culture will also be a greater challenge since culture, itself, is an accumulation of experience of everyone in the organization.  When people are less connected, it takes more work, particularly when it comes to communication, to build clarity around vision and values, the stories people tell about the organization, and the support of leadership. Compliance teams will need to be alert for signs of trouble, including ethics incidents and disengagement. To address these problems, she recommends starting with the senior team.  Educate them as to what is happening and gain their support for a renewed, resilient culture of integrity.  Then, make sure the policies and procedures are designed to help support the culture. Throughout, it’s important to communicate, not just once but frequently,  More, you need to do so in a tailored way that reflects the needs and mindsets of the various groups within your organization and encourages their feedback. Listen in to learn more about how to build and sustain an effective compliance and ethics program in the new work world.

Posted by:  Adam Turteltaub The No Surprises Act is a patient-friendly piece of legislation designed to protect consumers from unexpected medical bills.  As Sandra Joe (LinkedIn), Senior Compliance Analyst at NorthShore University HealthSystem explains in this podcast, surprise bills had typically arisen in three cases: * A patient visits an out of network provider in an emergency * While at an in-network facility, charges are incurred by an out-of-network provider * When self-pay patients undergo a procedure and only find out what it costs after the fact The No Surprises Act established new Federal protections to prevent these costly occurrences.  It bans out of network cost-sharing and balance billing.  It also requires that health care providers and facilities provide easy-to-read and understandable notices explaining their billing protections and providing information on who to contact for patients who are concerned that their protections were violated. For the uninsured and those choosing to pay for their own procedures, the law provides that they receive a good faith estimate, at least one day in advance, for a scheduled procedure.  If the charges exceed the estimate by $400 or more, patients have the right to dispute the cost. So what should compliance teams do?  Be sure to document the steps you take to put proper controls in place, including the training that is provided to the workforce.  Familiarize employees with how to update good faith estimates if there are changes, and make sure the necessary disclosures are posted in both provider settings and on the website. Listen in to the podcast to learn more about how not to be surprised by the requirements of the No Surprises Act.

Post by:  Adam Turteltaub ESG has exploded, but what is it and what is the role for compliance teams?  Lisa Beth Lentini Walker (LinkedIn), CEO & Founder of Lumen Worldwide Endeavors and a member of the board of the Society of Corporate Compliance and Ethics & Health Care Compliance Association provides her answers in this podcast. ESG, which stands for Environmental, Social and Governance, she explains, is very much an evolution of the Corporate Social Responsibility (CSR) movement.  It focuses beyond shareholder value and looks at the role of the organization much more broadly, including who and what it is accountable to. ESG does not work as an independent initiative, she warns.  Instead, it must be integrated into operations, much like privacy or safety.  It needs to be aligned with how the organization operates in the world and, importantly, the company’s values. Because it is so broad in its sweep, encompassing a wide range of compliance issues such as human trafficking and rights, bribery, environmental laws, non-discrimination, and anticorruption, it’s a natural area for the compliance team to get involved.  But, ESG goes beyond the legal requirements and encourages organizations to set a higher floor for its behavior, which is, of course, very reminiscent of ethics programs. So where do compliance and ethics teams fit?  They need to be a part of the solution, providing rigor around metrics and risk assessment.  Compliance professionals also need to be present to advocate for values-driven decision making here, as elsewhere. Listen in to learn more about ESG, compliance and the relationship between them.

Post by:  Adam Turteltaub There are, of course, many lawyers in compliance.  They typically enter the field after stints as prosecutors, white collar defense lawyers, or after careers in law firms and the general counsel’s office.  Less typical, and arguably wrongly so, are attorneys who have been in the military’s Judge Advocate General (JAG) Corps. In this podcast, Matt Reid, General Counsel and Chief Compliance Officer for iron and steel producer Bradken, shares his journey from JAG to compliance officer, and, as he explains, his time in the JAG Corps was better preparation than many would think. Practicing law in the Army gave him the opportunity to experience an enormous range of experiences.  He worked as a prosecutor in Germany and defense attorney in the DC area.  While stationed in Egypt, the position consisted of what the military calls “administrative law” but is very similar to compliance.  He regularly dealt with issues such as conflicts of interest and export controls, for example. When he joined the civilian world he was surprised by the similarities but also one key difference:  the power of the compliance officer, particularly in healthcare  As he explained, in the military he was an advisor to the commander, who ultimately made the final decision.  In civilian life he discovered that saying “no” to something had much greater impact and there is a need to be careful to be judicious in the word’s use.  Instead it’s better to use “yes, but” and work with the business team on finding a solution. Fortunately, that’s a skill JAG officers learn and one of the reasons why he is an advocate for bringing more former military attorneys into the compliance profession.  They are expert at finding solutions that accomplish the mission while still falling within the lines. Listen in to hear more of his fascinating experiences and insights, and maybe change your perspective when next looking to add a member to your compliance team.

Posted by:  Adam Turteltaub Joseph Suich has been enjoying an interesting and well-traveled career. His work at GE took him from Connecticut to Moscow to Prague to Zurich, where roles ranged from chief compliance officer to general counsel and later Global Chief Compliance Officer for GE Power. After his time with them he joined the New York State department of Public services to form and run a net unit, the Office of Investigations and Enforcement, which investigates and prosecutes utilities. He subsequently left there and is currently serving as US Chief Compliance Officer for National Grid, an electric utility that serves customers both in the US and United Kingdom. He also teaches compliance law at the Albany Law School. In this podcast he shares his fascinating journey as a compliance officer and insights into the minds of regulators from his years of experience interacting with them. For companies facing a regulatory issue he advises approaching the regulator honestly. A company instantly loses credibility, he warns, if it pushes a bad position from the start. If the company or an employee clearly did something wrong, don’t argue otherwise. Admit the mistake and focus on what you did right. Also, be aware that the regulator may not fully understand the context of your business. Be sure to invest the time in helping him or her appreciate the challenges and the reasons behind the actions your organizations took. Joseph closes the discussion by looking to the future, particularly the fast evolving Environmental, Social and Governance (ESG) movement. While ESG is still in flux from a compliance perspective, he advocates compliance teams begin to get a handle on its scope, how the organization is monitoring it, and the risks involved. Listen in to hear more about his career and experience.

Post by Adam Turteltaub Every organization has policies, typically many of them, and often varying by department and location. Getting a handle on all of them can be a difficult task, and ensuring that there is consistency adds a layer of complexity. Swagata Roy, Director, Compliance Strategy and Performance, Liberty Energy and Water, is an advocate for creating a policy hierarchy. It can help overcome common challenges, she argues, such as keeping policies current, relevant and accessible. As she explains in the podcast, a policy hierarchy is a partially centralized and partially decentralized approach to managing policies that is risk based. It begins with assigning a level to each policy according to the risk and how widely applicable it is. At the top would be the code of conduct and those policies addressing the greatest risk areas. Other higher-level policies include those addressing health and safety, privacy, diversity and the environment. All of these tend to be reviewed and approved at the top level of the organization. Below these policies are ones that are jurisdiction or procedure-based, such as gift and entertainment. And still others fit under these. Careful thought must be given to ensure that lower-level policies fit squarely under higher level ones and both provide added details and consistency. Once the hierarchy is created it needs to be monitored on an ongoing basis, she explains, to adjust for regulatory changes. To get business ownership she offers two pieces of advice. First, make it clear that compliance has centralized the administrative aspects of policy management, which makes it easier for the business team. Second, if your organization has a compliance champions or ambassadors, use them to socialize the hierarchy and act as your eyes and ears. Listen in to learn more about creating an effective compliance policy hierarchy.

Post By: Adam Turteltaub The pandemic may, please, finally, we hope, be coming to an end. That’s great cause for celebration, but it also portends a period of adjustment for healthcare, according to Raul G. Ordonez (LinkedIn), Associate Vice President for Compliance at Jackson Health System. Telehealth, which exploded during the Public Health Emergency (PHE), is likely to see several changes. As he explains in this podcast, before the pandemic telehealth was largely limited to underserved rural areas. When the emergency began, though, the Centers for Medicare and Medicaid Services (CMS) which has latitude in determining which services were allowed and who was eligible, allowed for hundreds of new codes for telehealth that are reimbursable for Medicare patients. Eligibility was expanded to patients all over the US, even those seeing a doctor from their own homes. Once the PHE ends, CMS has stated that many of the waivers for telehealth services will also come to an end. While there will be a notable exception for many mental health services, the end of the vast majority of waivers calls for compliance teams to start planning for a very different future than the present climate. And, they must do so at a time in which the US federal government has a keen eye on False Claims cases and the OIG, as a part of its workplan, will be looking at a host of telehealth-related items. Listen in to learn more about how to prepare for the upcoming, new era in telehealth.

Post By: Adam Turteltaub For most of us, it’s hard to imagine a time before the US Federal sentencing Guidelines came into being and set the direction for compliance and ethics programs. Jeff Kaplan, partner at the law firm Kaplan & Walker and longtime compliance leader remembers those pre-Guidelines times and in this podcast we discuss the changes that have come, didn’t happen and may yet occur with compliance programs. Even after thirty years he reports that, in many ways, we are still getting started. While many organizations have developed robust compliance programs, a large number are still at the starting gate. In addition, many business people, particularly in management, tend to think of compliance as something less than sales, marketing or other departments, and not worthy of the investment. A related challenge is what he called the “mission accomplished phenomenon”, which he defines as a tendency to see compliance as an event rather than an ongoing program. Still, he sees the glass as something more than half filled and creating new challenges. For more developed programs, he believes, now is the time to maintain a sense of urgency and improve performance. One approach he advocates for is a stronger embrace of the field of behavioral ethics. A part of social science, behavioral ethics illuminates what impacts our ethical decision-making and illuminates the biases which can lead to less than ethical decisions, even when there is intent to do the right thing. Looking to the future, he sees more work being done in the area of incentives, a struggle with Artificial Intelligence, and more nanocompliance. What is nanocompliance? Listen in to find out.

Post By: Adam Turteltaub Matt Kelly, Editor & CEO of Radical Compliance makes a strong case in this podcast for a need to reassess cyber risk.  It is becoming, he says, less of a technical issue and more about how companies interact with others:  Employees, contract workers, vendors and customers are all risk points for cyber intrusions. This calls for organizations to ask some key questions about outside partners: * Should they have access to the network? * What access should they have? * Are they straying where they shouldn’t? These, he notes, are all questions compliance professionals are likely used to asking about other risk areas. The solution, he argues, involves training, of course, but it also involves using some of the techniques developed for vetting third parties for anti-corruption risk.  Ask the business people:  How are they going to use the supplier?  Why are we outsourcing this?  Why did you select this third party? Bottom line is that you need to understand what the business purpose is and ensure the relationship is fit for the purpose and properly monitored and audited.  It’s also critical to ensure that when a relationship ends, access to systems ends with it. For existing relationships, make sure there is a clear understanding of who owns it.  In some cases, there may no clear owner, which can be a red flag that the vendor probably doesn’t belong on your systems. Listen in to learn more and hear Matt discuss issues such as how to overcome vendor resistance to audits, understanding when a vendor’s IT security is even better than yours, and the importance of a software bill of materials.

Post By: Adam Turteltaub Self-funded health plans are very common these days among larger employers and governmental entities. Private sector plans are typically subject to ERISA, which imposes a fiduciary duty, and even plans covering government employees have fiduciary obligations. What does that mean in practice? Chris Deacon, Senior Vice President of 4C Health Solutions and former director of the State of New Jersey Health Plan, explains in this podcast that the plan administrator, vendors and the plan, itself, have a fiduciary duty. That means all actions have to be performed for the best and sole interest of the beneficiaries and the plan. Vendors have to be selected and evaluated accordingly. Duties have to be carried out prudently. The plan’s documents must be followed consistently. So, for example, the plan can’t pay some out-of-plan claims and not others. It sounds fairly clear, but, she explains it isn’t because of the opacity in health care pricing. It’s difficult to know if the charges are reasonable or not. One step she strongly recommends is to demand ownership of the claims data and insist it be provided in a way that is usable. That will help ensure that the money is being spent properly, and the plan administrators are living up to their fiduciary obligations. Listen in to learn more about how to live up to the fiduciary duties of your self-funded plan.

Posted by:  Adam Turteltaub As the business world embraces Artificial Intelligence (AI) it’s important for compliance teams to understand what this technology is and what risks is can bring.  In this podcast and at the 2022 HCCA Compliance Institute oversight considerations for ethical AI are addressed by Shawn E. Marchese, Global Head of Compliance; Nakis Urfi, Product Compliance Officer; and Dr. Keith Grimes, Clinical Digital Health & Innovation Director all at Babylon Health. At its root, they explain, AI is about automating tasks that would otherwise require human brain.  This means activities such as pattern recognition and even decision making. The role of AI in healthcare is increasing because there aren’t enough people to fill all the positions.  It is already used for predicting which groups are at higher risks and for monitoring changes in X-rays.  And, if you have ever encountered a chat bot, that’s AI in practice. Over time they anticipate AI being used in more places to optimize healthcare delivery, summarizing notes and as decision support for prescribing.  It can also, potentially, minimize the risk of false positives and even be used to track regulatory changes. But, with AI come several concerns.  If unsupervised it can make decisions that can’t be controlled and have unintended consequences.  Bias is also a persistent problem, especially if the data is not representative of the population.  There have already been several examples of discriminatory behavior in hiring, loans, and facial recognition.  The AI team needs to take steps to ensure that it is feeding the AI accurate data and correcting for biases. So what should the compliance team do?  Stay on top of the AI use in your organization.  Make sure that it is producing accurate results and ensure that there are safeguards in place with human oversight.  Be sure to address the privacy, security and safety concerns to avoid losing trust and damaging your organization’s reputation, not to mention some potentially large settlements. Make sure, also, that there is ethical oversight that is cross functional.  There should be a process for raising and reviewing ethical issues, which can come up with some frequency. Listen in to learn more, and then plan on attending their session at the 2022 HCCA Compliance Institute.

Post By: Adam Turteltaub Operation Lava Jato (Carwash) had a profound effect on business in Brazil, with countless companies caught up in one way or another in the corruption scandal. State oil company Petrobras was no exception, but, as is the case with so many compliance incidents, the question quickly moved from what happened to what are you going to do about it. At the 2022 SCCE European Compliance & Ethics Institute, Salvador Dahan (LinkedIn), Executive Director, Chief Governance & Compliance at Petrobras will be addressing the company’s ethical journey. He shares some of the story in this podcast. Petrobras entered into a Non-Prosecution Agreement (NPA) that included a provision that the company had to agree to collaborate with all the investigations underway, not just with the US. The company also agreed to $850 million in fines to authorities in the US and Brazil. And, of course, it was required to improve its compliance program and internal controls. How did the company go about the transformation? Leadership provided a strong tone at the top. The head of compliance was placed at the Executive Director level and made a part of any major decision in the company. In addition, there is a direct line of report to the board of directors. There is even a formal hiring and termination process for the compliance team to protect the program against retaliation. The company also embraced a three lines of defense model, with compliance playing an integral role. Petrobras is continuing along its journey, Salvador reports. They are working to restore employee confidence and helping the workforce see the company is made up of individuals with strong ethical values. Supporting this initiative has been a great deal of communication designed to show that these are real actions, not just words. Every meeting in the company now starts with a five-minute discussion about ethics, integrity and transparency. They have also established a force of more than 200 ambassadors, known as Integrity Agents, to build bridges between the compliance team and the business unit. What does he recommend for other organizations going through a crisis? Several things: * Quickly recognize the situation, accept what is happening and begin collaborating * Talk to employees with transparency, outlining the next steps, long-term commitments, as well as do’s and don’ts. * Provide a clear sense of direction. It mitigates noise and a lack of confidence. * Find out your vulnerabilities, and then act as soon as possible. * Get an independent opinion. An outside voice can be very helpful. Listen in for more lessons, including how to continue to strengthen your organization, even after the NPA comes to an end.

Post By: Adam Turteltaub Doctors, nurses and other medical practitioners must keep up often multiple licenses and certifications. There are everything from board certifications to confirmations of inoculations to track.  Adding to the complexity: equipment has its own set of licenses and certifications, and so do the facilities themselves. Miss a deadline, and it’s not just simply a matter of paying a late fee. It may mean a surgeon can’t operate or a piece of equipment needs to be taken offline, negatively impacting both patient care and the bottom line. Keeping on top of it all can be a nightmare, explains David Baule, CEO of MISO3 in this podcast. The challenge is amplified by the fact that each certification has its own renewal dates, frequency of renewal, and can be tracked in multiple different places, including third party databases. How do you stay on top of it all? Like much else in compliance, he advises, by prioritizing. Also, look to automation. Listen in to learn more about the risks and possible solution.

Post By: Adam Turteltaub The relationships between Enterprise Risk Management (ERM) and compliance risk management is a complex and confusing one.  There is the potential for overlap and even conflict. To help clear the air and improve the relationship among the various approaches to risk, Bret Bissey, Vice President, Chief Compliance Officer, Gateway Health and James Rose (LinkedIn), Managing Director, SunHawk Consulting will be leading a session “Establishing the Enterprise ERM/GRC Strategy with Compliance in Mind at the 2022 HCCA Compliance Institute, which will be taking place online and in Phoenix March 28-31. In this podcast they offer a wealth of advice for compliance teams including: * Having the right sponsor is key * This is about having a dialogue cross the organization * The goal is to help business operators achieve their goals * A good process helps prevent surprises * There are naturally going to be some tensions, particularly when it comes to allocating resources * Expect different views of how much data should be tracked and how useful it will be * Be sure to capture the goals and interests of the C-suite and board Listen in to learn more and then join us in person or online for the 2022 HCCA Compliance Institute.