When is it advisable to hire an Interim Compliance Officer (ICO)?

Jim Cottos answered this question. He is SVP at Strategic Management (jcottos@strategicm.com) having provided compliance advisory service for the past ten year.  Previously served as Regional Inspector General and Chief Inspector for the DHHS OIG and as Assistant IG for Investigations at the Department of Treasury.

We are finding that more and more organizations are engaging experienced professionals and subject matter experts as Interim Compliance Officers (ICO).  The normal period for such arrangements is between six to eighteen months.  I have been an ICO at a number of organizations ranging from a small stand alone hospital to being the interim chief compliance officer for Baylor Health Care System in Dallas, while it took its time finding just the right person to replace the former compliance chief. Baylor also wanted me as a pair of “fresh eyes” to evaluate the compliance program at the academic medical center, which has 17,000 employees.  In some cases, I was hired to be the ICO in order to build or rebuild a compliance program before having a permanent replacement take over.  In other cases where I was engaged to be the ICO, it was to either build or rebuild the stature of the compliance officer before selecting a permanent one.  The real questions to be asked are:

• When and under what circumstance is it advisable to take this course of action?
• What are the advantages of using an ICO?
• How do you select an ICO?

Hiring an ICO can have several benefits.  First, the program is not left unattended and continues in full operation, leaving more time to find the right permanent compliance officer.  Secondly, an ICO will be able to provide an independent assessment of the state of the program. Third, the ICO can assist in defining the specific qualifications for selection of the new permanent compliance officer.   This latter point leads to the fact that the organization may wish to use the ICO to vet and assess candidates for the job.   This may help avoid hiring someone who on paper looks great but is seeking a new job because they are not doing well in their current position.  There are a lot of failed compliance officers looking for new jobs.

My suggestion to any organization considering hiring an ICO would be to take care to find someone with the right experience and expertise.  You don’t want to bring a stranger into the work environment who is an amateur that could create confusion, stir up problems with the workforce or management, let along creating a potential liability.   It is best to find a firm that has a lot of experience doing this kind of work, and who uses only qualified compliance experts.

Outsourcing Compliance

With increased frequency, organizations are exploring the notion of outsourcing their compliance programs and trying to determine if, when, and under what circumstances this would make sense.  Before making this analysis, it is worth noting that the DHHS OIG has recognized that this may be an acceptable alternative to an in-house compliance officer.  They noted in various compliance guidance documents that it may make sense to have one individual could serve as compliance officer for more than one entity; and in situations where staffing limitations mandate that the entity cannot afford to designate a person(s) to oversee compliance activities, the practice could outsource all or part of the functions of a compliance officer to a third party, such as a consultant. However, if this role is outsourced, it is beneficial for the compliance officer to have sufficient interaction to be able to effectively understand the inner workings of the practice.

So, it is permissible from the government’s viewpoint to consider outsourcing a compliance program.   The next question is when it makes sense to do it.   The OIG noted that it may be reasonable to consider this where the entity is relatively small and having an employee designated to do the work may not make good sense.   Examples of this are smaller physician practices, DME suppliers, stand along SNFs, etc.  In these cases the cost of having a full blown internally operated compliance program is not financially sound and is complicated by the close proximity of the person charged with compliance to other employees in a confined work environment.  Under these circumstances, they may be better off hiring an established expert with support resources to develop, operate and support the program properly.  For larger entities and organizations, such as large hospital systems, outsourcing compliance should not be considered a realistic option.

The next question for smaller entities is a cost benefit analysis.   What would it cost to have someone designated internally to operate the compliance program effectively?   Could a part time compliance officer be sufficiently qualified and have time to do all that needs to be done?   Would the individual designated internally as the compliance officer have sufficient time and expertise to ensure the compliance program is effective?   What would it cost in salary and overhead to have someone designated internally versus outsourcing the function?  The entity would be far ahead of the game if cost of outsourcing should be less than if operated internally.  It would ensure a professionally operated program.

Must you screen against the General Services Administration’s (GSA) Excluded Parties Listing System (EPLS)?

For over a decade, the OIG has suggested screening against the EPLS and now questions are being asked as to whether this is really necessary.  It is a costly and time-consuming effort that leads to very little solid results.  There are a number of false hits that arise from screening against the EPLS and this has been complicated by a lack of specific identifiers on the EPLS, which leads to many false hits that then require significant staff time for resolution.  Adding to the time and costs related to the EPLS process it that fact that it is rare to find a valid hit on that database.  It is our position that a solid case can be made for not querying the GSA database in the first place.  Such a statement CANNOT be said about screening against the LEIE.

The GSA site makes it clear that the debarments decisions are designed for use by only federal government agencies, not health care providers who are not entities of the federal government (see Executive Order 12549, “Debarment and Suspension”, and Executive Order 12689, same title).   Also there is the absence of an OIG advisory bulletin addressing or clarifying use of the GSA EPLS. Furthermore, Departmental and CMS regulations are silent on the issue of GSA debarments and their effect on health care financing programs of the DHHS.  We are not aware of a single instance where the DHHS OIG has taken action against a health care provider using an individual or entity on the GSA EPLS.  There are other difficulties associated with screening against the GSA data.  There is no explanation as to where to draw the line in screening contractors and vendors.   Bottom line: It is hard to determine what the downside would be for not screening against the EPLS.

Sanction Screenings

We continue to receive questions dealing with sanction screening. A number of compliance officers have noted complications arising from those already employed or given staff privileges. What is clear is that continued relationship with someone under exclusion can give rise to a host of potential liabilities. However, terminating the relationship can still be a vexing problem and in some cases has led to litigation in some cases. There are things that can be done in advance to avoid some of the complications of dealing with someone appearing on the OIG LEIE. First and foremost, all employee applications shall include questions pertaining to any pending charge or conviction for violation of criminal law; and/or any sanction or disciplinary actions by any duly authorized regulatory or enforcement agency of government. The following is suggested language on applications:

 • “Have you ever been convicted of any criminal violation of law, or are you now under pending investigation or charges of violation of criminal law? If yes, explain.”

 • “Have you been subject of any adverse action(s) by any duly authorized sanctioning or disciplinary agency for either conduct based or performance based actions? If yes, explain.”

Employee applications should also include questions pertaining to any pending charge or conviction for violation of criminal law; and/or any sanction or disciplinary actions by any duly authorized regulatory or enforcement agency of government. It should also be a condition of employment that the individual has an affirmative duty to report any investigation by a duly authorized government agency that involves them personally. In many cases a person who is the subject of investigation at one facility will change jobs before the axe falls and at the time of application for the new job they are not under sanction. It is also advisable to adopt the written policy that any false information provided on an application violates a condition of employment; and any false attestation concerning administrative actions taken against them can constitute independent grounds for termination. In this way the organization may focus on the false statement, rather than the underlying subject of the agency sanctioning.