Compliance Perspectives

By Adam Turteltaub In 1986 the Emergency Medical Treatment & Labor Act (EMTALA) was enacted. As Mary Ellen Palowitch (LinkedIn), Senior, Managing Director, Dentons Health Care Group, explains in this podcast, just because it is long established doesn’t mean health care providers have it completely under control. Issues continue to come up. EMTALA requires hospitals that participate in Medicare, including rural emergency hospitals, provide medical screening to determine if there is a medical emergency. If, in fact, the patient requires treatment, the hospital must provide stabilizing treatment within their capabilities, regardless of whether the patient has the means to pay. Two areas often cause confusion and real issues under EMTALA. They are best known by the phrases “clinically stable” and “stable for transport”, neither of which is defined in EMTALA. Clinically stable, she explains, may be anything from a comparison to how the patient presented when first presenting or reflecting the patient’s overall condition. Stable for transport is a term commonly used in hospitals. It does not technically mean the patient is stable, but it signifies that the patient has achieved the level of care that the hospital can provide. Basically: the hospital has done all that it can, and it may be more prudent for the patient to be transferred elsewhere for the care needed. Complaints do arise under EMTALA and may come from patients or their families. When one is sent in to the government, a multistep process begins. The complaint is reviewed and can lead to an onsite investigation that may include comparisons to how other patients were treated, interviews with staff, a tour of the emergency department and review of records. Hospitals found to be deficient are required to remediate promptly. Listen in to learn more about how to avoid and manage EMTALA issues in your emergency center.

By Adam Turteltaub While we tend to think of colleges and universities as being filled with college students, children much younger are often on campus. In fact, Lindsay Meyer Bond, Executive Director of the Higher Education Protection Network, that there may be more minors on campus than regular students. Everything from enrichment programs to sports camps can bring hundreds of children with them. When looking for guidance as to how to keep campuses safe for children, there is no federal law to turn to. Instead, there is a patchwork of state regulations, and many universities have had to create policies of their own. For the most part, these policies require the reporting of suspected abuse or neglect. Many now require background checks for those interacting with kids that may be go beyond the initial screening when hiring. Often universities have codes of conduct that prohibit one-on-one interactions with minors, but there is complexity there. A professor may not know that the student showing up for office hours is under eighteen. In addition, there may be conflicts of law and regulations. Ohio State University has a program, she explains, where students can learn to fly. FAA regulations stipulate that only the student and instructor may be in the plane. Their solution: when the student is on the ground, he or she is never alone with an instructor. To successfully navigate the challenges of minors on campus, she recommends strong policies and ongoing communications plans. With turnover frequent in youth programs, it is risky to assume that the adults have been fully trained, unless that training is continuous. In addition, keep an eye on your campus Name, Image and Likeness (NIL) program. College athletes may be running their own programs and not be aware of all the rules. Listen in to learn more about how to manage this difficult and sensitive issue.

By Adam Turteltaub W. Bruce Cameron is the author of 8 Simple Rules for Dating My Teenage Daughter and a whole series of novels about dogs including A Dog’s Purpose which spent 63 weeks on the New York Times bestseller list. His latest novel is Love, Clancy: Diary of a Good Dog. So, why is he on a compliance and ethics podcast? Well, because his writing has a lot more to do with it than you might think, and he learned some painful lessons about setting and enforcing rules. It was easy enough to write those simple rules for dating his then two teenage daughters, but that didn’t make him popular. He was seen as a despot and met resistance (both overt and subtle). As for those daughters, one is now a CFO and the other, ironically, works in law enforcement. The experience taught him several lessons that compliance teams can relate to: * You have to recognize that you can’t have complete control * Just because you think thing will go better if others do what you say, they may not * There is a need for human expression and accommodation for it Dogs have proven less argumentative for him. As he observes, they have been bred over the centuries to be absolutely dedicated to us. We raised them to be our tools first and then pets. Today they are thrilled when we come home and bring their optimism and hope, and their love of play, into our lives. Dogs, though, he believes, lack an innate sense of right and wrong. Instead, they are born with instincts where what pleases us is “right”. That, he explains, is why dogs owned by bad people turn out “bad”: they are doing what they think will please their owner and, to them, that’s the right thing to do. We have an ethical duty to dogs, he argues, because they are wired to please us. In addition, they were bred to depend on us even to survive. Listen in for a fun conversation about dogs, ethics and the often frustrating outcomes of setting even the most basic of rules.

By Adam Turteltaub The cyber landscape these days can be terrifying. Malware, ransomware, spyware, phishing, cloud-based computing and so much more are enough to keep even a compliance veteran up all night. There are other risks to consider, too, says Ganesh Krishnan (Twitter), co-founder and CEO of Anzenna. One major issue is scalability of IT security resources. As organizations grow larger and increasingly reliant on cloud-based software providers, the size and complexity of security challenges increase. If the cybersecurity team does not grow with it, problems increase, work doesn’t get done, and vulnerabilities quickly emerge. A second problem is the attitude the data security is the responsibility of the data security team.  He argues persuasively that it isn’t. Technology can’t solve cyber problems. The entire company has to be focused on it. That includes the workforces, which has been labeled wrongly, he argues, the “weakest link.” Instead, organizations need to recognize that employees can be the strongest link and have to be treated accordingly. This means more frequent training and less punitive measures when things go wrong. Employees should not be fearful to come forward and report a mistake they made. He also encourages organizations to be more open when there is an incident, sharing internally what happened and what employees can do in the future to help prevent it from reoccurring. Listen in to learn more about how to improve your cybersecurity program.  

By Adam Turteltaub While the trade compliance focus these days tends to be on Russia and the hundreds of sanctions imposed, one old issue remains: The Arab League Boycott of Israel. Despite improving relationships between Israel and some of its neighbors, progress has not been uniform and risk remains. In this podcast, Matt Silverman, Global Trade Director and Senior Counsel at VIAVI Solutions and author of the chapter “U.S. Antiboycott Laws: Understanding the Impact and Ensuring Compliance” in the Complete Compliance and Ethics Manual, explains that the boycott prohibits companies and individuals from doing business in Israel or with other companies that do business with the country. The US antiboycott law makes it illegal for US companies and persons to support the boycott, or, for that matter, any boycott that the US does not endorse. It would seem simple enough, but it isn’t. Individuals not familiar with the issue may not think twice of signing an agreement that says the company will follow the laws of the country where the sale is made. What they may not realize is that the country has laws on its books prohibiting business with Israel. Examples of boycott language can be found on websites of the US government. To comply with the US antiboycott law, both in the Middle East and elsewhere where boycotts may be in place, it is essential that employes be trained in what to watch out for. The company should also have an antiboycott policy. In addition, companies need to remember that there is an obligation to report any boycott requests. Listen in to learn more or read the chapter about the topic in the Complete Compliance and Ethics Manual.

By Adam Turteltaub ESG, cyber risk and privacy are all hot topics in compliance, but that doesn’t mean people typically identify the data issues as ESG topics.  Lisa Beth Lentini Walker (LinkedIn), CEO & Founder of Lumen Worldwide Endeavors  and Assistant General Counsel at Marqueta, thinks that’s a mistake. Cyber and privacy, she believes, fall very much under the Social in Environmental Social and Governance. Just look at the many ethical issues surrounding data usage these days as proof. She explains in this podcast and in the chapter “ESG, Cyber and Privacy: Bridging the Divide” in the 2023 Complete Compliance & Ethics Manual, that privacy and security are not separate and apart from ESG. They are central to how the organization navigates the world and people around it. Keeping data secure is squarely under the social mission of the enterprise. To live up to that obligation, organizations have to focus more on keeping data safe and building proper systems around how individuals interact with the data. Simply believing “well, we have a good practice” is not enough. The practices have to support the ESG framework in terms of meeting the company’s commitments. In addition, the temptation to be data hoarders has to be tempered. Collecting data is easy to do, and it’s generally inexpensive to store. That makes it easy to rationalize indefinite retention. But, a clear path to data destruction is essential. Think of it like cleaning out the closet. It may not be easy, but it needs to get done. Organizations also need to embrace greater transparency about the processes in place to safeguard and use data. That helps investors and rating agencies better assess how the entity is measuring up against the SASB and other standards. Listen in to learn more, and then check out the 2023 Complete Compliance & Ethics Manual.

By Adam Turteltaub The Gartner Legal Risk & Compliance Practice recently released a report on the state of third party risk management. To learn more we talked with Chris Matlock, Gartner’s Vice President, Advisory – Corporate Strategy & Risk Practice. The report was developed, he explained, because of the substantial changes in business over recent years. As the size of businesses has grown – many of the Fortune 500 are 50%-100% larger than they were a decade ago -- the number of third parties they work with has increased dramatically and with it the “threat surface”. Complicating the challenge, much of the pandemic took place during the pandemic, when normal third party vetting processes were not possible. Today, with a threat of a recession, third parties are often under extreme pressure to meet the expectations of both their owners and their customers. The likelihood for compliance failures is higher. Gartner’s research found that the typical risk factors remain, but they have been intensified by both new regulations and stresses on supply chains. IT and cyber risks are growing larger at the same time that companies have made substantial investments in technology to enable their team to collaborate and interact with customers electronically. Adding to the challenge, many organizations do not have a mechanism for centrally managing their third parties, which makes it more difficult to ensure consistency in practices and respond when things go awry. Pushing the “stop” button with one vendor may trigger unexpected consequences three steps downstream. Additional stress has been created through, as noted earlier, a heightened regulatory environment. Anticorruption enforcement continues while the number of privacy laws grows. To manage the risks, many have turned to tools to collect more data on their supply chain, but that has posed the problem of having too much data and, as a result, difficulty in determining which pieces of data are truly important. To help manage these risks, Chris recommends enlisting the enterprise risk management team to create key indicators that can help monitor risks in a forward-looking way.

By Adam Turteltaub At the 2023 HCCA Compliance Institute there is a sure to be fascinating roundtable discussion lead by Marti Arvin, Vice President, Chief Compliance Officer, Erlanger Health System, Joan M. Podleski, Chief Privacy Officer, Children’s Health and Adam Greene, Partner, Davis Wright Tremaine, LLP. They will be addressing a range of privacy and data-related issues. In this podcast one of the topics they discuss are the complexities around access. Often, for example, raw data is not kept in the main health information management system (HIMS). Another challenge is proper website disclosures and how visitor data is used and shared. OCR has issued guidance in this area that has earned a great deal of attention. But, it is likely to be a hard problem to solve since organizations will need to determine exactly what data they are collecting, using and storing. To help manage these issues they strongly argue for investing the time and effort in developing clear processes for responding to data requests. Then, monitor to ensure the policies are being followed. Take time also to understand what is in your designated record set and where it is stored. Then make sure your HIMS understands what qualifies as the designated record set. It’s time also to reassess how your organization is managing telehealth now that the public health emergency is ending. There will be decreased flexibility and increased emphasis on keeping these interactions on HIPAA-compliant platforms. When you do move onto one of these platforms, be sure to have a business associate agreement. When looking at technology, they advise compliance be a part of decisions related to the use of patient apps. Whether your organization is thinking of building its own or relying on a third party, it’s essential that the privacy requirements be a part of the discussion from the start. Listen in to a provocative conversation, but, be warned. It’s going to make you want to join them in person at the HCCA Compliance Institute, April 23-26 in Anaheim, and online April 24-26.

By Adam Turteltaub A lot happened in compliance in 2022, with a large number of lessons for 2023. To sort it out we turned to Michael Volkov, of the Volkov Law Group and host of the Corruption, Crime & Compliance blog and podcast. In this Compliance Perspectives podcast he addresses several key pieces of learning for compliance teams. FCPA While 2022 may have started out slowly in terms of resolutions, the year ended on a busy note with several settlements and the revised corporate enforcement policy. One thing the DOJ made clear is that it is taking a sharp look at compensation policies to see if there are both incentives and disincentives for wrongdoing. The latter should include claw backs, deferred compensation and punishment for wrongdoing. Culture (more below) was also a keen area of focus and is likely to remain so. The perennial issue of third-party risk remains, as well. Where should compliance teams focus? The contract to invoice to payment stage of deals is where FCPA violations tend to occur. Also, be on the lookout for more major dispositions shortly. Sanctions Last year, he reports, was the year of the trade compliance officer. Complying with an ever-increasing and changing list of Russia-related sanctions kept teams busy day and night. The good news is that companies seem to be on top of things. The bad news is, he warns, that the Department of Justice has warned that this could be the new FCPA, with large fines for wrongdoing. He also warns that OFAC is a strict liability enforcer. Intent does not matter. As big an issue as this has been, there is often still too much of a separation between the trade compliance and main compliance groups. That will likely need to change, if it hasn’t already. Culture Culture has gotten the attention of the enforcement community with a particular focus on ethics. Done right, the culture can be the most effective corporate control an organization has. Done wrong, and it can cause not just problems, but liability for the organization. The DOJ is looking at culture closely and recent case law out of Delaware has extended the due care responsibility to senior leadership. To survive and thrive organizations, he believes, need to define their culture, attend and imbed it, monitor, and intervene when they see deficiencies. Finally, the board and senior management need to be educated on the importance of the right culture. It’s not just about saying “do the right thing.” It’s about expectations and norms around the mission, how we treat each other and how we treat those outside the organization. Listen in to learn, including what he sees for the future of compliance programs.

By Adam Turteltaub Telehealth is here to stay, but that doesn’t mean the rules will all be staying the same, reports Holly Hester, Senior Director, Strategic Client Partnerships for Net Health and Yolunda Dockett (LinkedIn), Chief Compliance Officer at Anne Arundel Dermatology. While the Public Health Emergency is set to end on May 11, 2023, the Consolidated Appropriations Act of 2023 extended many telehealth flexibilities through the end of December 2024. These include the ability to provide telehealth to patients in their homes, in both rural and urban settings, and the ability of physical and occupational therapists, along with speech pathologists, to provide telehealth. Yet, there are inconsistencies, with some CPT codes used by rehab therapists set to expire at the end of 2023.  Plus, some are being continued only for 151 days after the end of the emergency. One other change to expect centers on privacy requirements. While many platforms have been used to provide telehealth, soon only HIPAA-compliant platforms will be allowed. It’s a change that makes the provision of care less flexible and perhaps less friendly. Regardless, if your organization has not yet done a risk assessment about telehealth, now is the time. Leverage the relationships established in rolling out the service and then look collaboratively at the risks and start thinking about remediation techniques. Some other things to consider: * Understanding how to decide if a patient has the physical and mental capacity for telehealth * Business and operational risks * Privacy considerations, on both the provider and patient sides * Reimbursement and billing * Documentation requirements. It’s a lot of work, but it helps to ensure that telehealth can be delivered in a complaint manner. Finally, don’t miss learning more at their session “Incorporating Telehealth into Your Compliance Workplan” at the 2023 HCCA Compliance Institute.

By Adam Turteltaub These days it’s easy to identify people using technology and databases, and that’s a problem if you are trying to comply with HIPAA or even GDPR because a lot of sensitive data eventually needs to be de-identified in a proper manner. Thora Johnson (LinkedIn), Partner at Orrick and Mark Fox (LinkedIn), Privacy and Research Compliance Officer at the American College of Cardiology explain that there are two permissible methods of de-identification under HIPAA. Safe Harbor De-Identification is a process in which eighteen identifiers are removed. The second option is Expert Determination De-Identification, in which statistical principles are used to determine if there is low risk a person can be identified. It's not an easy process, either way. Information on the individual and family members likely needs to be removed. In addition many struggle with how to do de-identification right because the work is often done only periodically and not on a regular, frequent basis. One area of particular challenge is understanding the difference between de-identification and a limited data set. There are significant requirements with these limited data sets, too, including the need for a signed agreement with the data recipient and proper permissions to share the data. Adding to the complexity, under GDPR there are the concepts of anonymization and pseudo-anonymization to reckon with. What should you do? Listen in to understand the issues, and then plan on attending Thora and Mark’s session “It’s De-Identified, or Is It?” at the 2023 HCCA Compliance Institute.

By Adam Turteltaub With one of the largest economies in the world and serving as the South American home for many global businesses, Brazil is a country for compliance teams to watch, and their laws are very much worth heeding. That includes the Brazilian General Data Protection Law (LGPD), which entered into force on September 18, 2020. As Andre Paris (LinkedIn), Professor and Privacy & Compliance Consultant explains in this podcast, the law contains 10 principles including: * Data should be processed only for specific, legitimate, explicit purposes * Data quality needs to be maintained * Companies must be transparent about how data is used * A security regime must be in place * The data should not be used in a discriminatory matter It is very similar to and consistent with the European General Data Protection Regulation (GDPR) and includes a number of rights for data subjects, such as access to personal data held by the organization, the ability to correct outdated and incorrect data, and the blocking or deletion of unnecessary data. The law applies to any data collected in Brazil, regardless of the citizenship of the individual. So how can compliance teams address the law’s requirements? He recommends several steps: * Secure the support of leadership * Search for someone with privacy expertise to serve as the data protection officer * Train the workforce on what is essential data * Map your data * Determine which law authorizes the processing of data * Identify any and all risks inherent in the organization’s operations Listen in to learn more about how to ensure your organization is in compliance with Brazil’s LGDP.

By Adam Turteltaub Patient safety remains a challenge for organizations, and not for want of trying to address the problem. Improving it is an issue addressed here and at the 2023 HCCA Compliance Institute by Deb McCracken, Chief Risk Officer, and Julie Wall, Senior Vice President, Benefis Health System. Problems such as fall prevention remain, along with improper medication administration, misidentifying patients and preventing infections. They persist because, as healthcare and technology change, procedures may as well, leading to a departure from safe behavior. Adding to the challenge, often, is an unwillingness to speak up and raise issues. Many fear that they will be retaliated against if they point out potential problems. To better understand patient safety risk they recommend a close working relationship among compliance, quality and risk management. These three departments should help form a committee focused on patient safety that includes individuals skilled in capturing and coding root cause analyses. To close safety gaps effectively, they recommend looking to best practices and implementing them. Also use lessons learned from your organization and others across the industry. That begins with debriefing after an incident. They also recommend running simulations of real-life situations. These can help you be better prepared when an incident occurs. When you do, don’t forget about practicing for workplace violence scenarios. Listen in to learn more about how you can promote better patient safety practices. And, to learn even more, join us in Anaheim for the 2023 Compliance Institute.

By Adam Turteltaub With seemingly constant news stories about layoffs, many are starting to wonder what they would do if they found themselves suddenly out of work and looking for their next compliance position. There are several ways to make the process go smoother, explains Brittney McDonough, partner at the recruiting firm Barker Gilmore. That starts with making the right decision of how much time to take off after a layoff. Many people, not surprisingly, are tempted to use their severance package to take a much-needed respite from work. Be careful, though, she advises. A job search can take three to six months, so taking six months off could lead to a year out of work. That doesn’t mean, though, you shouldn’t take advantage of this time. You should embrace it; just be sure to use it strategically, balancing recharging your batteries with a thoughtful approach to finding your next opportunity. When it comes to pursuing a job search, she recommends three key steps: * Develop professional objectives. Think through what you want out of your next position:  What role do you desire? What level are you open to? What type of company? What size and industry? What do you want to make? Where do you want to live? * Develop a marketing plan for yourself. Think about how you are going to sell yourself and end up on the radar of recruiters and prospective recruiters. Update your resume accordingly, and be sure that you have a current and accurate presence on LinkedIn.  Recruiters depend on it. * Be intentional about how you network. Put together a list of contacts who could be helpful. Reach out to them and ask what they can recommend and who they can connect you with. Be sure to also offer to help them, too. Also pursue speaking and writing opportunities. They are a way to increase your contacts and open up more opportunities. What do you do when a prospective employer asks about the job that you lost or maybe still have? Be honest but don’t go into any more details than you need to. You want to keep the focus on the job you want, not the job you have or had. Listen in to learn more, and if you want to learn more about networking, here is a link to a book that was discussed in the podcast.c

By Adam Turteltaub As environmental expectations keeps rising and Environmental Social and Governance (ESG) metrics gain more importance to investors, some organizations will be tempted to greenwash, which is best described as making an environmental footprint look far better than it actually is. That’s a serious risk and one that will be addressed by Elena Durante, ESG Risk Audit Manager, ING Corporate Audit Services, Risk & Finance, at the SCCE European Compliance & Ethics Institute, which takes place in Amsterdam March 20-22. As she explains in this podcast, at its roots greenwashing is about misleading information supplied to investors and customers, taking advantage of the fact that these outsiders cannot fully tell if what the organization is saying is true. While greenwashing is still relatively unregulated, she tells us, that has started to change.  In the EU there have been an increasing number of efforts to combat it. Plus, there is severe reputational damage to companies caught greenwashing. Compliance teams need to be on the lookout at their organizations to ensure the integrity of their organizations’ environmental statements. That starts with ensuring that what regulations that currently exist are followed. It also means keeping an eye out for new regulations. Compliance should also be working to develop and implement ESG protocols within the organization. These should identify clear rules and policies to ensure sufficient checks and balances are in place. A training element will also be needed to help the business people understand that environmental statements need to accurately reflect the  organization’s actual activities, not just its aspirations. Listen in and then keep an eye out for greenwashing in your organization.