Understanding, experience and technology for success
Enabling Proactive, Sustainable and Cost-effective Compliance with the Help of MetricStream Solutions
Every year, the American healthcare and life sciences - industries lose billions of dollars to fraud and abuse. Instances of fraud range from performing medically unnecessary procedures for insurance gains, to billing for services not rendered, to illegally altering patient information, to accepting kickbacks for patient referrals, to unlawfully promoting drugs. Such incidents not only drain the economy, but they also pose a hazard to patient health and safety. For instance, patients whose medical information has been unlawfully altered may receive the wrong treatment or realize that their health insurance benefits have been exhausted.
To keep these risks in check, the US government and regulators have been cracking the whip down on healthcare and pharmaceutical organizations by enforcing regulations such as HIPAA/HITECH and FDA, as well as audits such as RAC audits. Organizations that do not comply or display any sign of fraud pay heavy penalties. In a worst-case scenario, they could be barred from participating in Medicare, Medicaid and other Federal healthcare programs. The resultant losses would be tremendous, as Medicare and Medicaid patients usually bring in significant revenues.
Instances of Corporate Integrity Agreements Proposed
Fortunately, organizations have a second chance at redeeming themselves through Corporate Integrity Agreements (CIAs). These agreements are usually part of negotiated settlements with the Office of Inspector General (OIG). They enable organizations to avoid exclusion from Medicare or Medicaid programs by establishing and demonstrating a robust compliance framework, as per CIA stipulations.
Corporate Integrity Agreements are usually proposed when incidents of fraud or abuse are discovered through audits or self-disclosures. The agreements contain a number of compliance requirements, and usually differ from one company to the - other depending on the type of fraud. However, the goal of a CIA remains the same - to prevent future fraud and misconduct by ensuring that all internal controls and risk-mitigating measures are in place.
Implementing a CIA can be challenging and complex, as well as financially burdensome. However, the long-term benefits are substantial. Not only does do CIAs prevent organizations from being barred from federal healthcare programs, but they also ensure the establishment of a robust compliance program that protects stakeholders and customers from risk, and builds brand value.
CIAs are usually drawn up for a three to five year period. However, in certain cases, they can extend up to eight years.
According to the OIG, integrity agreements usually include the following stipulations:
OIG criteria for Determining Whether a Corporate Integrity Agreement is Required
CIAs versus Corporate Compliance Programs
In many ways, CIAs resemble typical corporate compliance programs. However, there are significant differences between the two. For one, corporate compliance programs are voluntary and can be built to suit a company’s specific requirements and needs. On the other hand, a CIA is obligatory and has to be structured as per the OIG’s stipulations.
CIA reporting requirements also differ. Companies that have entered into a CIA are required to produce at least two major reports – an implementation report and an annual report. An implementation report details the programs and procedures of the agreement, as well as the steps that the company will take to demonstrate compliance with the CIA.
The annual report, which has to be filed every year, describes the status of the CIA compliance program. It includes employee disclosures, material deficiencies, overpayments or violations of laws and a summary of the findings of the Independent Review Organization (IRO) that is hired to conduct annual audits of the organization.
CIAs might offer a better, more cost-effective alternative to being excluded from federal healthcare programs. However, they also throw up a number of challenges which- if not dealt with effectively - can deeply affect profitability.
Many times, healthcare organizations enter into integrity agreements to avoid the complications and costs of defending themselves against fraud allegations. However, the costs of compliance with CIAs are also substantial. Time and effort must be spent to ensure compliance; policies and procedures need to be drawn up; additional human resources have to be deployed for compliance activities; external consultants and auditors must be hired to provide an independent review of compliance.
All these activities work up enormous costs, in addition to those of already existing compliance initiatives. Given that CIAs can stretch up to five years or more, the costs of compliance are likely to go up. But the costs of noncompliance are even greater. Organizations that are pulled up for errors and inconsistencies in CIA compliance can face one of two penalties – exclusion from federal healthcare programs which can be devastating to company profits; and monetary fines which can range from $1,000-$2,500 per day.
Complexity of CIA regulations
Over the last few years, the complexity and number of compliance requirements has only increased. Once a three page document, integrity agreements can now extend into 40 pages, depending on the severity of the allegation. They contain numerous auditing, reporting and monitoring requirements, some of which are not easy to comprehend or implement. For instance, the terms ‘material deficiency’ or ‘material violation’ could be interpreted in various ways. Understanding their relevance to the organization is crucial to establishing a robust compliance program.
Lack of enterprise-wide visibility
Many CIAs call for greater involvement of Chief Compliance Officers (COO) and Middle Managers, as well as the Board of Directors. COOs are often required to personally certify the accuracy of compliance reports and the effectiveness of compliance programs. To do this, they need to be able to view and track compliance processes across the enterprise at all times. This can be difficult to achieve particularly in large-scale organizations with businesses scattered across various locations.
Ad hoc approach to compliance
Many healthcare companies function in independent operational silos with little or no collaboration between departments, units and cross-location centers. This isolated approach to compliance can result in operational redundancies. For instance, the same internal control could be unknowingly duplicated across departments. This, in turn, raises costs and lowers efficiency.
An ad hoc compliance approach is particularly inefficient in CIA compliance programs which need to be implemented within a stipulated time period. Most CIA requirements are required to be completed within 90-120 days of signing the agreement. In addition, audit and control reports need to be generated at regular intervals.
Ensuring quick compliance with these guidelines is difficult when there is no framework for smooth, easy collaboration and coordination across the enterprise. Considerable time and effort is spent just on responding to OIG requirements, tracking down the requested information and managing deadlines.
Growing list of compliance regulations
Healthcare and pharmaceutical companies across the nation are grappling with an ever-growing list of compliance regulations. From HIPAA compliance requirements HIPAA, to HITECH, to CMS mandates, to the Stark Act, to FDA regulations, to the Affordable Care Act, compliance regulations are only becoming more extensive and complex by the year. Adding CIA compliance to the lot compounds challenges further.
No doubt, CIA compliance programs can be designed based on existing voluntary compliance programs. However, its requirements are time-bound and not very flexible. Besides, monitoring compliance across the entire spectrum of regulations is a laborious, time-consuming process. If executed through manual processes or spreadsheets, it can lower efficiency further and also result in costly errors. There is no room for negligence or carelessness, as regulators are extremely stringent and noncompliance penalties are costly.
To comply with CIAs, organizations need to draw up separate policies and procedures, submit reports regularly to the OIG, prepare control assessments, track risks, ready internal reports and more. The associated documentation and paperwork is tremendous. It requires constant updating, editing, consolidation into reports and more. Without a centralized repository, it can be difficult to access the information and provide a clear picture of organization-wide compliance. It also hinders the training process by making it difficult to coordinate training material and prepare training schedules.
Building a Robust, Efficient Compliance Management Program
Given the serious repercussions of noncompliance with CIAs, it is crucial for organizations to plan and implement a comprehensive compliance program. This should begin right from negotiations with the OIG. Instead of blindly accepting the terms and conditions proposed by the CIAs, organizations should negotiate the contract and structure the agreement to enable effective compliance. For instance, if the organization already has a compliance program in place, it should align the terms of the agreement with this program. After all, both are likely to have similar elements. Coordinating the agreement with existing compliance programs will enable operational efficiency, ensure better collaboration and ease regulatory compliance.
An important aspect of CIA compliance is demonstrating the effectiveness and sustainability of compliance programs. Organizations must ensure that the required controls, policies, procedures and risk mitigating mechanisms are in place. Regular internal audits should be conducted to monitor the effectiveness of controls and proactively remedy any issues that arise. Organizations should also keep themselves updated with OIG fraud alerts, legal advisory opinions, compliance guidelines and news releases.
Easier said than done? Yes, especially as organizations have so many other responsibilities to juggle in addition to compliance management. This is when technology can help. Many-a-time, a quality and efficient compliance program is only as good as the technology used to manage it. For instance, certain technology can automate compliance and audit processes, helping save time, resources and effort, apart from enhancing operational efficiency.
Some organizations already have systems to meet the above criteria. However, most of these are stand-alone systems that only meet the specifications of one activity such as compliance, or audits, or control monitoring. Coordinating the activities of these systems across the enterprise can be complex and laborious.
On the other hand, a system that enables enterprise-wide integration of all aspects of compliance and audits will offer better visibility, centralized information management, enhanced collaboration and more effective management of compliance. It will also help iron out compliance gaps and inconsistencies so that independent external auditors can give the organization a clean chit of compliance. In turn, the OIG will be assured that the organization is committed to building a quality compliance program, and ensuring that future fraud or misconduct does not occur.
MetricStream Solutions for Compliance with Corporate Integrity Agreements
MetricStream offers an advanced, comprehensive system to efficiently manage all aspects of CIA compliance, ranging from risk assessment, to control testing and monitoring, to audit lifecycle management, to issue remediation, to reporting, to training. The system also enables comprehensive compliance with all other regulations including FDA, HIPAA/HITECH, CMS mandates and the Affordable Care Act.
Built on a single platform, the MetricStream solution can be extended across the enterprise for seamless coordination of CIA compliance processes and audits. The solution is packed with powerful capabilities such as risk heat maps, regulatory tracking alerts, automated issue remediation workflows, a centralized document repository, executive dashboards and embedded best practices. All these features come together to empower organizations to meet the demands of CIA and other compliance regulations with ease and efficiency.
The MetricStream solution provides a centralized framework to define and maintain CIA compliance initiatives including processes and assets in scope, risks for the processes and assets, controls to address the risks and mechanisms to assess controls. It enables organizations to map CIA requirements to the corresponding internal policies, procedures, risks and controls across the enterprise.
The solution automates critical compliance workflows such as control assessments and testing, thus reducing overall costs. It also provides a single point of reference to manage compliance with the complete spectrum of industry regulations.
Using the MetricStream solution, organizations will be able to streamline control management across the enterprise. It helps link regulations with the required risks, controls, processes and documents. A centralized library of risks and controls enables seamless information sharing which, in turn, ensures that controls and compliance activities are not duplicated.
Policy and Procedure Management
The MetricStream solution offers a flexible framework to streamline the creation and management of policies and procedures in line with CIA requirements. The solution automates the development, maintenance and communication of policies, while closely mapping CIA policies to the organizational framework for compliance, risk and control management. Organizations can therefore seamlessly integrate policy guidelines with control assessments, risk monitoring and issue remediation.
Using collaboration tools, users can review policies for changes and approvals. In-built automatic alerts facilitate policy distribution and acceptance. The system also provides the capability to configure and execute surveys, certifications and self-assessments for policy distribution management and acceptance.
Although CIAs mandate an independent audit review, it is important to establish an internal audit framework that proactively identifies gaps and inconsistencies in compliance processes.
MetricStream offers a comprehensive solution to manage the complete audit lifecycle, right from audit planning and scheduling, to field data collection, to the development of audit reports and recommendations, to the review and implementation of these recommendations.
The solution seamlessly integrates with other enterprise systems to capture the required information. It also provides offline capabilities to conduct audits in remote sites. All workflows are streamlined, automated and systematic, enabling closed-loop audit cycles and eliminating audit errors and inconsistencies.
The system helps auditors define a logical audit structure, replete with detailed audit templates, evaluation criteria, checklists and tasks. It also enables audits to be triggered periodically or on an ad hoc basis, with automatic notifications.
All quantitative and qualitative findings can be recorded in the system. Audit results and recommendations are automatically routed for review, approval, rejection and, if required, issue remediation.
Issue & InvestigationManagement
The MetricStream issue management solution enables organizations to proactively identify and remedy issues arising from CIA compliance. It assigns a unique ID to each issue, allowing it to be tracked from one stage the next. It also captures all the information about the issue and enables it to be categorized based on predefined criteria.
Failure investigations are conducted to determine the root cause of the issue. The investigation is driven by collaborative workflows that ensure responses by assigning investigative tasks to the appropriate individuals. Once a corrective action is initiated, the case remains open till the action plan is carried out. The process is kept on track through automatic alerts that are delivered to the personnel responsible for issue investigation and remediation.
The MetricStream document management solution provides a web-based, centralized repository to store and access the complete range of CIA documentation. This includes CIA requirements, internal policies and procedures, control assessments and reports. In-built collaboration tools provide the ability to access, create, modify, review and approve documents from anywhere across the enterprise.
Powerful capabilities simplify the search for documents and enable easy cross-referencing. Time-stamped audit trails and electronic signatures ensure that documents are assessed and modified only by authorized personnel.
Reports and Dashboards
The MetricStream solution contains advanced dashboards with drill-down capabilities that provide real-time visibility into the status of CIA compliance and audit processes. In addition, comprehensive compliance and audit scorecards offer color-coded results of control assessments, audit scores and more, highlighting areas that require attention.
These dashboards and reports offer a quick, clear snapshot of CIA compliance across the enterprise. It enables compliance officers and other managers to attest CIA compliance reports with complete confidence and knowledge. It also helps them make informed decisions regarding compliance.
MetricStream supports the creation of OIG mandated reports such as implementation and annual reports. The solution captures the required information from across the enterprise through surveys, certifications and self-assessments. It then exports the information to predetermined CIA report templates which can be sent to the OIG.
Certifications and Attestations
The solution provides a systematic mechanism for managing certifications in a consistent, reliable and predictable manner. It ensures accountability by enforcing the flow of information and records, and documenting attestations and representations at appropriate stages.
The solution provides the capability to configure and execute certifications and self-assessments based on predefined templates and schedules for designated executives. It also supports procedures for affirming the strength of internal controls and adherence to policies. This information can be signed electronically at departmental and functional levels, and rolled up to executive management. They, in turn, can review and certify the overall risk and control assessment for the enterprise in line with CIA requirements.
The MetricStream solution has the ability to integrate with OIG regulatory sources and capture regulatory alerts, opinions and news, bulletins. It enables organizations to stay updated on all OIG information and track changes as they occur.
The solution also captures information from other regulatory sources such as HIPAA and CMS through emails, RSS feeds and other online channels. The resultant updates are automatically analysed and mapped to the organization’s compliance program, triggering policy updates as well as risk and control assessments.
MetricStream helps organizations comply with the training requirements of CIA compliance. Its solution enables effective management of the overall training process by maintaining course offerings and course descriptions for easy review, scheduling classes, conducting tests, evaluating performance, providing feedback on instructors and course material effectiveness, maintaining training records and conducting gap analyses.
The solution offers a centralized repository of all training related information that is tightly integrated with internal policies and procedures. Therefore any change to policies automatically triggers an alert for training.
Training courses can be supplemented with world-class online training programs from MetricStream’s acclaimed portal - ComplianceOnline.com. The portal connects organizations to compliance experts, news, best practices and other useful resources from across the globe.
Benefits of MetricStream Solution
MetricStream solutions are widely used in leading healthcare organizations across the globe. That’s because they are designed keeping in mind the entire spectrum of GRC challenges encountered by healthcare providers. MetricStream solutions provide the flexibility and scalability to meet even the most unique risk, compliance and audit requirements. Using these solutions, healthcare organizations can enjoy the following benefits:
MetricStream is a market leader in Enterprise-wide Governance, Risk, Compliance (GRC) and Quality Management Solutions for global corporations. MetricStream solutions are used by leading corporations such as UBS, P&G, Constellation Energy, Pfizer, Philips, BAE Systems, Twitter, SanDisk, Cummins and Sonic Automotive in diverse industries such as Financial Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG, Government, Hi-tech and Manufacturing to manage their risk management, quality processes, regulatory and industry-mandated compliance and corporate governance initiatives, as well as several million compliance professionals worldwide via the www.ComplianceOnline.com portal. MetricStream is headquartered in Palo Alto, California and can be reached at www.metricstream.com.
Corporate Integrity Agreements: Making the Best of a Tough Situation – Robert B. Ramsey, III – March 2002