Do You Have a Strong Compliance Program Keys

Do You Have a Strong Compliance Program? Keys to operating an Effective Compliance Program A presentation by: James Neal, CCE, Board Of Directors Health Ethics Trust Glenn D. Fox, Esquire Saul Ewing LLP Robert Westervelt, MBA, CCE Acts Management Services, Inc. Vice President Operational Audit & Compliance October 22, 2014

The Landscape is Changing • Senior Living/LTC currently are under no strict requirement to maintain a written compliance program. • This could soon change, however, as the ACA required all nursing homes to adopt and implement compliance programs in 2013. • This in itself has not changed the Senior Living/LTC compliance landscape. While many of these requirements are not directly applicable to Senior Living/LTCs, the risks, and, therefore, the potential costs associated with most risks are applicable. 2

Be Adaptable • The ACA requires CMS to issue new Conditions of Participation that will add to the compliance program standards. • These new conditions can alter the risk environment, and a Senior Living/LTC facility's noncompliance could result in overpayments. • Senior Living/LTC providers should prepared by drafting their policies and building their compliance programs that are truly effective and adaptable to regulatory changes. 3

The Case for Compliance: Why You Need an Effective Compliance Program • Health care compliance programs have become well established largely due to the Office of the Inspector General (OIG), and recent occurrences of corporate fraud have made corporate responsibility and accountability front-page news. • However, the model for today’s compliance programs is actually the Federal Sentencing Guidelines for Organizational Defendants (Guidelines), developed in 1991 by the United States Sentencing Commission (USSC). • The USSC developed the Guidelines to promote consistent treatment of individuals and organizations convicted of federal crimes, including fines and restitution, imprisonment and probation or exclusion from participation in various federally funded programs. 4

The Case for Compliance: Why You Need an Effective Compliance Program • The USSC Guidelines allow organizations to mitigate their sentences if they have adopted, implemented and maintained a set of seven standards demonstrating an effective compliance program to identify, prevent and report improper conduct. • While the Guidelines apply to all corporations and organizations, these seven standards were co-opted by the OIG for its Model Compliance Program Guidances published for the health care industry in 1997. 5

The Case for Compliance: Why You Need an Effective Compliance Program • An effectively designed compliance program enhances business operations by controlling and managing regulatory and operational risks; reducing mistakes; enhancing the flow of information to directors, officers and other leaders within the organization; improving oversight and implementation of corrective actions; reducing losses from regulatory violations (or from accidents or mistakes); and improving relations with residents and clients, employees and regulators. • Having an effective compliance program is a key factor in an organization’s reputation management strategy. 6

The Case for Compliance: Why You Need an Effective Compliance Program Still Not Convinced? • There is another benefit to implementing and maintaining a compliance program, although nobody wants to think about needing it. The Federal Sentencing Guidelines provide relief for any entity convicted of a crime that has an effective compliance program in place. • In determining the amount of any fine, the Guidelines require a court to determine a “culpability score” by calculating aggravating and mitigating factors. Having a compliance program doesn’t excuse the crime, but demonstrates that the organization took reasonable efforts to prevent, detect and correct any improper conduct. • It may lower the organization’s starting “culpability score”, and not having a compliance program is actually considered an aggravating factor which increases the culpability score! 7

The Case for Compliance: Why You Need an Effective Compliance Program • In a January 20, 2003 memorandum explaining the basic principles to be followed in prosecuting business organizations, Deputy Attorney General Larry D. Thompson instructed U. S. Attorneys to place “increased emphasis on and scrutiny of the authenticity of a corporation’s cooperation”. • Among the specific factors to be considered in deciding whether to charge an organization are “the existence and adequacy of the corporation’s compliance program” and “the corporation’s remedial actions, including any efforts to implement an effective compliance program or to improve an existing one”, which the memo explains requires the prosecutor to “attempt to determine whether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed and implemented in an effective manner. ” 8

An Effective Compliance Program is Like a Football Playbook • No coach worth his salt develops a playbook and then puts it on the shelf. The successful coach is always reviewing which plays work and which don’t. His playbook is dynamic – it must be updated regularly to account for changes in the rules, new players with different skill sets, and the evolution of defenses. • An effective compliance program is no different. It is not merely a project to be completed and checked off as done, but a process that requires continuous review and improvement. 9

An Effective Compliance Program is Like a Football Playbook • In football it’s been said that a good defense beats a good offense; but in the health care compliance arena, none of us ever wants to be on the defense! • So how good is your offensive playbook? 10

Senior Living/LTC Industry • How did Corporate Compliance become a key focus in the senior living/LTC industry? • What are the components of an effective Corporate Compliance program? • What does the law require? • Does ACTS (and its affiliates) meet the current standards and legal requirements? • What is the anatomy of an Ineffective Compliance Program. 11

Compliance Programs Typical questions : 1. How did Corporate Compliance become a key focus in the senior living/LTC industry? 2. What are the components of an effective Corporate Compliance program? 3. What does the law require? 4. Does ACTS (and its affiliates) meet the current standards and legal requirements? 12

Compliance Programs Brief History Lesson 13

Year 1984 Growth of Compliance Programs The Sentencing Reform Act (US Sentencing Commission) - Establishing sentencing guidelines - Providing uniformity in sentencing - Recognizing flexibility for extenuating circumstances 14

Year 1991 Sentencing Reform Act Expanded US Sentencing Standards Commission submitted – For organizations convicted of federal crimes – To “deter” organizational wrongdoing – Created guidelines for compliance programs – Included significant sentencing reduction if an “Effective Compliance” program was identified 15

Year 2004 Strengthening of Program Guidelines for an “effective” Compliance Program include: • • Executives take an active role Promote ethical culture throughout the organization, “woven within the fabric” Seven elements of an effective compliance program Outlined in Chapter 8 of the Sentencing Guidelines 16

The Elements of an Effective Program Best Practice 1. Governance 2. Code of Conduct 3. Chief Compliance Officer & Committee 4. Effective Communication & Training 5. Audit Monitoring & Assessment 6. Disciplinary & Corrective Measures 7. Risk & Program Assessment 17

Year 2010 Federal Legislation Enacted (“PPACA”) Patient Protection and Affordable Care Act of 2010 – Mandated a compliance and ethics program for SNFs by March 2013 (Section 6102 & 6401 of ACA) – Applying similar elements outlined in the sentencing commissions guidelines – OIG and other regulatory agencies also recognizing and adopting compliance program guidelines as part of their assessment criteria in cases 18

Comparison of Best Practice and PPACA Compliance Program Requirements BEST PRACTICE PPACA GOVERNANCE CODE OF CONDUCT CCO & COMMITTEE =========== COMMUNICATION & TRAINING =========== AUDIT, MONITOR & ASSESS =========== DISCIPLINE & CORRECTIVE ACTIONS =========== RISK & PROGRAM ASSESSMENT PROGRAM ESTABLISHMENT STANDARDS and POLICIES HIGH LEVEL CONTROL LIMITATION OF AUTHORITY =========== COMMUNICATION =========== AUDIT & MONITORING =========== DISCIPLINE CORRECTIVE ACTIONS =========== REASSESSMENT OF THE PROGRAM 19

PPACA Components One, Two and Three 1. Governance -Program Establishment The organization must have established compliance standards and procedures to be followed by its employees and other agents that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations under this Act. 2. CCO and Committee - High level Control - Limitation of Authority Specific individuals within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance with such standards and procedures and have sufficient resources and authority to assure such compliance. 20

PPACA Components One, Two and Three 3. Code of Conduct - Standards and Policies The organization must have used due care not to delegate substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, had a propensity to engage in criminal, civil, and administrative violations under this Act. 21

ACTS Governance 1) Compliance Document (Statement of purpose) – 1 st Step! • The Compliance Program governed by the Corporate Compliance Committee (the “committee) has been established to assure the oversight of compliance with applicable laws, rules and regulations and company standards and procedures. 2) Governance – The “Committee” • Chief Compliance Officer (CCO) • High level personnel • Oversees, monitors, directs and reviews • Seven compliance program elements • Parameters of compliance • Report to the Board 22

ACTS Structure of the Compliance Document (Charter) Key Elements & ACTS’ Compliance Program Key Elements GOVERNANCE CODE OF CONDUCT CCO & COMMITTEE =========== COMMUNICATION & TRAINING =========== AUDIT, MONITOR & ASSESS =========== DISCIPLINE & CORRECTIVE ACTIONS =========== RISK & PROGRAM ASSESSMENT ACTS PROGRAM - Charter References PPACA/U. S. Sentencing Commission (requirements) PROGRAM ESTABLISHMENT STANDARDS and POLICIES HIGH LEVEL CONTROL LIMITATION OF AUTHORITY =========== COMMUNICATION =========== AUDIT & MONITORING =========== DISCIPLINE CORRECTIVE ACTIONS =========== REASSESSMENT OF THE PROGRAM I, III, IV =========== V, VIII ====================== VII, VIII =========== IX 23

ACTS Chief Compliance Officer & Committee 24

ACTS Corporate Compliance Committee EXAMPLE Compliance Areas by Department Report Schedule Department Accounting/Finance Administration & Compliance Culinary & Nutrition Services Compliance Area Federal, State & Local Filings: Centers for Medicare & Medicaid Services Internal Revenue Service State Departments of Health, Insurance, Public Welfare, Revenue, State, Treasury, etc. * U. S. Census Bureau --Other Miscellaneous Filings State Departments of Insurance - Survey Results Time Frame 2014 Ma Jan Feb r Apr May Jun July Aug Sept Oct Nov Dec 30 27 27 25 29 26 31 21 25 30 20 18 Monthly (See X Attached Schedule) X X X X X X CARF/CCAC Report Other Licenses & Permits Semi. Annual Hotline Case Review Monthly X X X X X Quarterly X X X X Semi. Annual Quarterly X X Annual X Quarterly X X U. S. Sentencing Commission & HHS (Affordable Care Act) Centers for Medicare & Medicaid Services - State Survey Results Food & Drug Administration - National Food Code (HACCP) Compliance Training & Education Human Resources Employee(s) Presenting Review Department of Homeland Security - Immigration & Control Act (I-9 Forms) Department of Labor: FMLA, FLSA, PPACA, ERISA & FCRA Department of Labor: OSHA Annual 300/300 A Filing Equal Employment Opportunity

ACTS Code of Conduct 1. Written Code of Conduct – KEEP IT SIMPLE • Compliance expectations with policy and laws • Accountability & expectations at all levels • Organizational structure and culture 2. Promote the Code • HR manuals, routine training • employee handbooks • internal websites, posters, etc. 3. Enforce the Code - IMPORTANT! • Maintain consistent actions • Document enforcement • Enforcement at ALL levels 26

PPACA Component Four 4. Effective Communication and Training - Steps to communicate effectively The organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, such as by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required. 27

ACTS Effective Communication & Training 1) Promote Compliance ÷ At all levels ÷ Vendors 2) Assure effective compliance training • • • Regulatory guidelines and laws Internal policy and procedures Ethics Risk mitigation (prevention and oversight) Document ! 3) Training effectiveness (Reporting) ÷Senior management reporting ÷Effectiveness ÷Sufficient training ÷Manuals, policies and procedure are updated ÷Attestations 28

PPACA Component Five 5. Audit Monitoring and Assessments - Designed to detect criminal, civil, and administrative violations The organization must have taken reasonable steps to achieve compliance with its standards, such as by utilizing monitoring and auditing systems reasonably designed to detect criminal, civil and administrative violations under this Act by its employees and other agents and by having in place and publicizing a reporting system whereby employees and other agents could report violations by others within the organization without fear of retribution. 29

ACTS Audit Monitoring & Assessments 1) Self-policing and independent audit processes • Departmental, regional and corporate • Independent assessments 2) Reporting mechanisms to report violations • 24/7 Hotline • Staff, vendors, residents and families • Follow-up and report 3) 5 year Internal Audit work plan • High risk areas • Independent assessment's and plans for improvement 30

PPACA Component Six 6. Discipline and Corrective Actions - Appropriate disciplinary mechanisms - Prevent further similar offenses The standards must have been consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense. After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses, including any necessary modification to its program to prevent and detect criminal, civil, and administrative violations under this Act. 31

ACTS Disciplinary & Corrective Measures 1) Clear disciplinary actions for non-compliance • Consistency • Documentation 2) Implement corrective actions where weakness is identified • Provide restitution • Identify root cause • Implement clear & effective corrective actions 32

PPACA Component Seven 7. Risk and Program Assessment - Reassessment of compliance risks and Program The organization must periodically undertake reassessment of its compliance program to identify changes necessary to reflect changes within the organization and its facilities. 33

ACTS Risk and Program Assessment 1) Periodically assess compliance risk • Identify all risks, laws & regulations • “Heat map” or rate the risks • Financial impact • Reputation • Ownership • Mitigating control • Regulatory focus • Probability (external reviews) 2) Involve management in risk assessment • Schedule regular reporting • Accountability 3) Program Assessment • Independent audits and feed-back 34

ACTS Compliance Risk Analysis Summary of Risk Categories SCORE Definition (1 - 5) A higher score indicates a greater chance of risk Severe (4 and above) High (3 - 3. 9) Moderate (2 - 2. 9) Low (0 - 1) 35

ACTS Compliance Risk Analysis Summary of Probability & Risk Assessment 36

Corporate Compliance and Ethics Program Counsel and Other Professional Assessments 37

The Anatomy of an Ineffective Compliance Program How to Evaluate Your Compliance Program

"Effectiveness" Much has been written regarding compliance program "effectiveness" as part of a collective effort to define what ineffective compliance program actually looks like. 39

Effectiveness Is Elusive • One of the reasons the reality of effectiveness is elusive is that it is relatively new, certainly complex, and in some cases the subtle concept, which very few organizations have achieved; • Given that each organization is unique, using a boilerplate to create a program or an evaluation tool will not accomplish the compliance goal; • This makes it difficult to recognize when a program is effective or ineffective. 40

Elements to Achieve Effective Compliance in a Program • Although unique, the vast majority of organizations are not too terribly different from each other in terms of the elements it takes to achieve effective compliance or the elements that are present when compliance is ineffective; • Certainly the circumstances or implementation personalities and cultures vary, all of which affect the subtle "how to achieve“ question but not necessarily the "it has been achieved " in an effective compliance program. 41

Ineffective Compliance Elements Only by being able to recognize when a compliance element is ineffective, can corrections be made to improve compliance and effectiveness. 42

Anatomy of an “Ineffective“ Compliance Program • It is common in today's environment for organizations to struggle with the essential elements of an effective compliance program. • In this presentation I will cover these elements and address the anatomy of an "ineffective" compliance program. 43

Anatomy of an “Ineffective“ Compliance Program By understanding where and how compliance programs break down, and how one weak aspect of a compliance program can affect all or many other aspects, we can begin to see more clearly how the intent of each element contributes to the overall results of effective compliance that avoids common compliance traps and pitfalls to which all organizations are vulnerable. 44

Ineffective Compliance Programs • An ineffective compliance program does not meet the measurable goals and objectives that it lays out; • An ineffective compliance program is one that ultimately allows fraudulent, inappropriate, unethical or inefficient and wasteful activities to exist unchecked or unidentified, causing harm to management, employees, customers and investors. 45

Compliance Is Not Voluntary • Even though a majority of compliance programs are voluntary, compliance is not; • With the standard for "intent" having been changed to add "reckless disregard for the truth" and "deliberate ignorance" to the prior standard of "actual knowledge", it is imperative that organizations actively identify fraudulent and inappropriate activities on a constant basis and take the required steps to remedy them. 46

Ineffective Compliance Program The resulting inefficiency, and inaccuracy, and unidentified inappropriate activities of an ineffective compliance program, make an organization vulnerable to a large scope of negative consequences ranging from lowered employee morale, to criminal and civil exposure, including possible exclusion from government programs. 47

Ineffective Compliance Program The resulting lack of trust and confidence in an organization's commitment to do the right thing builds when management, employees, and customers believe that the organization's compliance program is merely a façade that lacks substance. 48

Ineffective Compliance Program • When a program is ineffective, the sentiment that the compliance program is a cover up for improper activities can build in key employees. • Thus, it is vital that organizations make a firm commitment to compliance by implementing a program that is effective. 49

The Seven Elements of an Effective Compliance Program 1. Designating a compliance officer; 2. Developing written standards of conduct and policies and procedures; 3. Providing training and education; 4. Promoting open and effective lines of communications; 5. Enforcing compliance standards through disciplinary guidelines; 6. Auditing and monitoring for compliance; 7. Responding appropriately to offenses. 50

The Eighth Element • Given the 2004 revisions to the Sentencing Guidelines, many think that there are now 8 elements to an effective program. • On-going compliance risk assessment is the so -call eighth element. 51

The Concept of Compliance Relies on the Seven/Eight Elements and Their Interconnections and Interactions • Each compliance program element creates, stems from, or relies on the others to some degree; • When one element is lacking to any degree, the other elements will suffer; • Each element has vulnerabilities or "breaking points" which are actions (or lack of) that render a basic element less effective or hinders it from achieving its goal. 52

The following will be an open discussion of each of the elements purpose and identification of various braking points that may impede that element from serving its purpose in a compliance program. 53

Designating a Compliance Officer • The compliance officer is the leader or figurehead for an organization's compliance program. • The compliance officer must know when an organization may be lacking in compliance or engaging inappropriate activities. • A compliance officer must possess the technical skills and knowledge of the specific industry operations, rules, and regulations to appropriately investigate potentially inappropriate situations and develop corrective actions. 54

Breaking Points • Inadequate technical skills (auditing, verbal, or written communications), lack of knowledge (finance, operations, reimbursement, or legal requirements), compliance vision, resourcefulness; • Lack of financial resources, labor support, or commitment from the Board of Directors, CEO, management, employees, or vendors; • Lack of authority to enforce standards, policies and procedures, disciplinary action, or corrective actions. 55

Breaking Points, (Continued) • Lack of a direct line of communication to the CEO or Board of Directors; • Outsourcing of compliance responsibilities to avoid accountability or integration into the organization's operations; • Conflict of interest or lack of independence. 56

Standards of Conduct and Policies and Procedures • Standards of conduct and policies and procedures are the fundamental documentation underlying a compliance program; • Compliance policies and procedures are very specific to individuals, situations, and processes; • Without standards of conduct that are comprehensive, clear, and accurate, a compliance program is nonexistent. 57

Breaking Points • If policies and procedures are two theatrical or cumbersome for the average employee to use; • If not accurate and current, inaccessible or unavailable to employees due to a lack of education or dissemination; • If they read like a legal treatise and not a resource manual; – This form of a compliance program, or collection of policies and procedures could be a liability to the organization. – If under investigation, the policies and procedures may serve as proof that an organization knew what was proper and improper, but was intentionally acting improperly despite the policies. 58

Providing Training and Education • Along with auditing and monitoring, training and education is another key to achieving successful effectiveness; • It is of paramount importance to effectively communicate both the structure and substance of a compliance program to all of an organization’s stakeholders; • Without communicating how the program works and what it is trying to accomplish, the program is like the sound of a tree falling in the forest with no one around to hear it. 59

Providing Training and Education (Continued) • Experience indicates that as much live training as is feasible increases the success of efforts; • By augmenting live training with a variety of other media such as seminars and conferences, memoranda, one-on-one instruction, postings, the information will be more readily retained by the audience; • Live training programs usually leads to discovery a compliance risk or areas of needed improvement through the questions from employees with education traveling in both directions. • Taking shortcuts in training often results in higher long-term cost from retaining and poor compliance. 60

Breaking Points • Poor, incorrect, or inadequate content (in general or for specific audiences); • Unqualified trainer; • Sessions too long, over packed with information, not made to be interesting; • Not required frequently enough; • Not required for the appropriate personnel. 61

Promoting Open and Effective Lines of Communications • Employees, agents, customers, and management should be free to express concerns, request information and education, and discussed situations without fear retaliation; • Often the most valuable information regarding compliance risk comes from an individual raising a concern and passing it along without fully understanding if a violation is occurring or if an issue really exist. 62

Promoting Open and Effective Lines of Communications (Continued) • Two way communication should be nurtured and encouraged, which is best accomplished when an anonymous reporting mechanism exists and when resolution of the situation is communicated back to those concerned; • Many whistleblowers seem to take that route after raising an issue multiple times with no apparent communicated response from the organization. • Thus, effective and open communication must have the elements of anonymity and responsiveness in return. 63

Breaking Points • Lack of understanding of what should be reported and the obligation to report suspected inappropriate actions; • Lack of a culture of openness and non-retaliation regardless of anonymity; • Lack of anonymous reporting mechanisms or knowledge of the mechanisms for reporting; • Fear of retaliation or retaliation itself; • Lack of follow through with lack of feedback regarding resolution or corrective action. 64

Enforcing Compliance Standards Through Disciplinary Guidelines • In an ideal world, individuals would follow rules and regulations because it is the right thing to do. • In the real world, however, consequences for violations are necessary to enforce rules and regulations. • Thus, a vital element of an effective compliance program is disciplinary guidelines. 65

Breaking Points • Not communicated or made clear to employees contractors; • Not in force when necessary and as stated; • Not progressive or fitting for the violation; • Not determined on a case-by-case basis; • Not consistent over positions. 66

Auditing and Monitoring for Compliance • Although open lines of communication may help raise issues regarding compliance violations, systemic auditing and monitoring are critical to the program's effectiveness. • Audits must be planned and scheduled in order to ensure that all risk areas are reviewed and reviewed often enough to produce effective results. • Compliance risks should be assessed and audits should follow those risks. 67

Breaking Points Auditing and monitoring presumably breaks down when the audit plan, schedule, or resources are insufficient to review all potential risk areas, or are left incomplete or are ignored. 68

Responding Appropriately to Offenses • When offenses are discovered, swift and appropriate actions must be taken; • An adequate investigation of potential violations must occur timely, and when inappropriate actions are discovered, the individuals involved must be disciplined in accordance with the policies and procedures regarding corrective actions; • If a violation is discovered, it does not mean that the compliance program is ineffective, rather it demonstrates that compliance efforts are doing their job by finding offenses; • Understanding how the violation was allowed to occur and putting into place corrective actions to ensure that it does not occur again demonstrates an effective compliance program. 69

Breaking Points When offenses are discovered: • Failure to discipline in accordance with the policies and procedures regarding corrective actions; • Discipline is different for the same violation for different employees; • Understanding how the violation was allowed to occur but not putting into place corrective actions to ensure that it does not occur again. 70

Conclusion • Some believe that for most things something is better than nothing at all. • In the case of compliance programs, however, something, when done poorly, may be worse than nothing at all. • Given that compliance is the new standard, we must ensure that the program exists and exist effectively 71

Conclusion, (Continued) • The struggle to define, model, and identify a truly effective compliance program may be one battle that cannot be easily won. • But, by exploring the intent of each of the compliance elements and then considering the anatomy of ineffectiveness for each element- the breaking points - we can more clearly see when our compliance programs are achieving their objectives and when the structure in place is not accomplishing the compliance goals. 72

Compliance is a dynamic process!!! 73

Jim Neal, CCE Health Ethics Trust Telephone: (703) 683 -7916 www. healthethicstrust. com Glenn D. Fox, Esquire Saul Ewing LLP Telephone: (215) 972 -1084 Email: gfox@saul. com Rob Westervelt, MBA, CCE Acts Retirement-Life Communities, Inc. Telephone: (215) 661 -8330 ext. 640 Email: rob@actslife. org 74

Corporate Compliance Any Questions/Comments? 75