American Association for Physician Leadership

Operations and Policy

Whistleblowers: Why Written Compliance Policies and Internal Audits Are Important

Debra Cascardo, MA, MPA, CFP

October 8, 2017


Abstract:

In 2016, nearly a quarter million whistleblowers contacted the Office of Inspector General directly or through its hotline, most stating that they first tried to raise their concerns internally, but either they had no avenue to do so or their information was not acted upon. Simply including compliance policies in your policies and procedures manual is not enough. The policies and procedures must be reviewed at least annually with training sessions for all employees. Most importantly, the procedures for employees or patients to raise concerns about noncompliance must be clear and must elicit responses from management.




Simply including compliance policies in your policies and procedures manual is not enough. The policies and procedures must be reviewed at least annually with training sessions for all employees. Most importantly, the procedures for employees or patients to raise concerns about noncompliance must be clear and must elicit responses from management. How an organization responds to complaints can be the difference between an effective program that reduces risk of liabilities and one that increases exposure to them.

In 2016, nearly a quarter million whistleblowers contacted the Office of Inspector General directly or through its hotline, most stating that they first tried to raise their concerns internally, but either they had no avenue to do so or their information was not acted upon. Setting up an anonymous hotline for employees to voice concerns is important. However, management also must respond to this hotline to investigate the issue and make corrections if warranted.

Effective internal investigations should follow these steps:

  1. Gathering background information;

  2. Planning the investigation;

  3. Initiating the investigation;

  4. Executing interim actions in the organization;

  5. Gathering documentary evidence and conducting interviews;

  6. Writing the final investigation report; and

  7. Closing the case and communicating findings.

To avoid potential problems and liability, it is advisable to establish a Predicating Authority in your policies. This person has the authority to evaluate and decide what further action will be taken on a complaint or allegation. In many cases, the Predicating Authority is the Chief Officer, Human Resources Manager, or Legal Counsel. Personnel in legal, compliance, and human resources positions should play a role in the investigation.

Initial Complaint or Allegation

A complaint or allegation can be initiated by an employee, a patient, or a vendor, or through an anonymous hotline. It can be a general complaint or a detailed outline of the alleged compliance breach, billing discrepancy, or other issue. Regardless of the source and the amount of detail provided, every complaint and allegation must be recognized and evaluated for the best way to proceed with the investigation. This initial evaluation must be made immediately by the Predicating Authority to avoid aggravating the situation.

The Predicating Authority evaluates complaints, allegations, or other information received to determine whether the allegation would be actionable should the information prove true. Part of this evaluation involves determining any potential liability issues related to the allegations or the manner in which the investigation is going to be conducted.

It is important to document the complaint or allegation, the date of initial receipt and review, the practice’s decision as to what further investigation is necessary, or the resolution of the issue.

If this initial evaluation determines that further investigation is warranted, the Predicating Authority will decide what to investigate, and how to investigate. The wrong decision at this stage will affect every subsequent decision and action. It is becoming increasingly common to refer to this evaluation process as “triaging” the complaint, which is a process in which things are ranked in terms of importance or priority. What it comes down to is quickly making an accurate assessment of information to decide how much and what type of resources are needed. Triaging may require some initial action steps before a proper assessment can be made.

Gathering Information

To make the assessment, the Predicating Authority should review the information on hand and determine which of the assertions are established facts and which are in dispute. It is important to scrutinize the source of information for reliability. Sources of information could be:

  • The complainant;

  • An anonymous hotline tip;

  • A current or former employee;

  • The media;

  • A legal action;

  • A request from a government agency; or

  • Another healthcare provider.

The vast majority of complaints or allegations come from within an organization—from employees, management, or the board of directors, or from Human Resources or the Compliance Officer as a result of hotline tips or ongoing auditing and monitoring. Understanding the motivation of the complainant could be vital. Is the complaint valid? Or could it be a way of making the practice or someone in particular look bad? Are the facts exaggerated or distorted? Is it possible that the allegation, especially if it is from an anonymous complainant, is false, with an ulterior motive of professionally harming someone? If the investigating officer has convincing evidence that the information in the allegation is false and malicious and that the person made a deliberate false claim, the claimant could be subject to investigation.

If the complainant is known, the investigator should try to determine the facts and why the allegation is being made.

If the investigator is not familiar with the site of the complaint or allegation, it could be helpful to physically visit the site of the alleged event, act, or incident to gain a fuller understanding of what the investigation might involve. Understanding the particular work environment, proximity of employees to one another, and access to property or records may help the investigator understand the impact on the complainant, patients, or the organization.

What Is the Violation?

Once the facts are known, the investigator should determine whether the allegation violates the organization’s policies, safety, federal or state law or rules, patient privacy, and so on. What rule does the activity violate? What is the alleged violation’s impact on employees, patients, or the practice?

Does the information regarding the alleged violation need to be turned over to an authorized regulatory or law enforcement agency immediately for investigation? You do not want to be accused of “covering up” a possible violation or obstructing justice just because you initiated an internal investigation of an issue that authorities should have handled from the beginning.

To Further Investigate or Not to Further Investigate?

The Predicating Authority must now decide how to handle the situation:

  • Turn the information over to the proper authorities;

  • Dismiss the allegation as not requiring further investigation or action; or

  • Continue to investigate the complaint.

In many cases, dismissing further investigation may be reasonable. However, any possible future legal liability must be considered. Failing to act upon allegations of serious misconduct, hazardous behavior or conditions, or breach of privacy policies that could lead to a preventable injury in the future could lead to lawsuits and expose the entity to substantial fines or other monetary damages.

Determining the appropriate level of response is important. The Predicating Authority must evaluate all allegations thoroughly and act promptly on the decision as to how to proceed. The best practice is to address all allegations and record the decision in a written report, even for those allegations that do not result in a formal inquiry or investigation. When delays are unavoidable, it is wise to keep in contact with the complainants to assure them that the situation is being handled.

Delaying action by not deciding whether or not to investigate could be seen as a decision to not investigate. In addition to the possibilities listed earlier, the complainant could be subject to retaliation while awaiting a decision on the original allegation, which will incur new complaints and liability.

All allegations require an internal inquiry to check for credible information of potential wrongdoing or breach of policy.

If the Predicating Authority determines the complaint does not warrant investigation, the complainant should be told the reason and given an opportunity to provide additional information.

The Internal Investigation

Internal investigations can confirm or refute the information provided by a complainant. Allegations are not always factually accurate. Allegations are not always validated by the investigation. Allegations are not always true. However, all allegations require an internal inquiry to check for credible information of potential wrongdoing or breach of policy. Not every complaint, however, will require a full, formal investigation.

The Predicating Authority may decide to undertake a limited-scope internal inquiry to further evaluate the information or establish whether there are grounds for administrative action should the allegations be borne out by a full investigation. Many times, the decision is that there are insufficient information and evidence on the face of the complaint to warrant a full-scope internal investigation. Decisions regarding the conduct of investigations are not a science. It always comes down to a series of judgment calls.

Most complaints and allegations can be resolved with a limited amount of investigation or internal inquiry in a matter of hours or a few days. Many times the facts stand on their own merits and are not subject to dispute; the only problem is figuring out what they mean. The compliance investigation may be limited to filling in a few gaps in the facts to make the decision. In some cases, the complainant alleges a wrong that may be serious to him or her but is relatively trivial for the organization. However, even a minor issue may be a problem if it is part of a pattern or is symptomatic of something more serious. The best practice is to look for patterns emerging from what appear to be trivial issues. In many cases, minor allegations and complaints may be symptoms of a pattern relating to the same source of problems. It may be a manager who seems to draw complaints for repeating the same bad behavior over a period of time. It could be a pattern that is linked to poor written guidance that causes problems. In some cases a pattern of small problems may be more serious than one big isolated event. In some cases, a pattern may even result in a class action suit. Even seemingly minor workplace complaints need to be evaluated. One of the most common errors of internal investigators is failing to respond to misconduct allegations in the workplace. One of the biggest problems with Compliance Officers and other designated internal investigators is that they underestimate or ignore lesser issues, such as violations of policies and procedures of the organization. If one purpose of a written policy and procedures manual is to involve all employees to help ensure compliance with applicable laws and regulations, then the organization must show concern for employee issues as well, not just issues that may have a major impact on the organization.

Acting promptly on concerns and complaints by employees sends a message that the Compliance Officer and the organization are serious about enforcing the compliance policies. There is no room for discretion to be exercised in investigating violations of federal and state laws, such as fraud against the government and unlawful harassment, among others. If, after investigation, the conclusion is that the complaint was without merit, the organization must carefully and fully document the investigative process and the decision and ensure that the document is adequate to meet a challenge by government agencies.

Patient Privacy Policies

Compliance with HIPAA privacy regulations often is a source of complaints in today’s medical practices, which depend on electronic health records and other electronic means of handling patient data. All employees must be aware of the regulations regarding protected health information (PHI) and the importance of securing all data. The following points should be stressed in policies and procedures to lower the possibility of a breach:

  • Train employees to understand that software breaches often occur when an employee clicks on an email link or attachment, or responds to “phishing” inquiries.

  • Focus security efforts on those files that are most critical, such as patient records.

  • Conduct a risk analysis to identify vulnerabilities of your electronic PHI system and ways to mitigate or remediate these identified risks.

  • Develop and implement policies and procedures on how to take precautions against malware.

  • Limit access to PHI to people and programs that require such access.

  • Maintain disaster recovery plans, emergency operations, and data backups to assist in restoring lost data in case of an attack.

  • Configure e-mail servers to block zip files or other files that are likely to be malicious.

  • Move quickly on any report of an attack to prevent the malware from spreading by disconnecting infected systems from a network, disabling WiFi, and removing USB sticks or external hard drives connected to an infected computer system.

  • Restrict permissions to certain network areas by limiting the number of people who can access files on a single server, so that if a server gets infected, the infection won’t spread to everyone.

Summary

Carefully examine and evaluate all allegations and complaints for substance and credibility, as well as the information and sources needed to confirm the validity or lack thereof. It is critical to act promptly in deciding what action, including investigation, is appropriate. Delays in this process can only increase the likelihood of a bad outcome. Whenever allegations are being evaluated, ask several questions about what is being provided, such as the following:

  • Who would be the appropriate party to resolve this issue (e.g., Compliance Officer, Human Resources, Legal Counsel, Privacy Officer, CFO, Supervisory Management)?

  • If the information is borne out by investigation, would it be actionable?

  • Is there sufficient information to provide logical leads to prove or disprove the allegation?

  • Is there sufficient information in the complaint to institute an internal investigation?

  • Should Legal Counsel be involved, and, if so, at what point?

Debra Cascardo, MA, MPA, CFP

Principal, The Cascardo Consulting Group, and Fellow, New York Academy of Medicine; phone: 914-358-9553; fax: 914-358-9554; e-mail: dcascardo@aol.com

Interested in sharing leadership insights? Contribute



This article is available to Subscribers of JMPM.

Log in to view.

For over 45 years.

The American Association for Physician Leadership has helped physicians develop their leadership skills through education, career development, thought leadership and community building.

The American Association for Physician Leadership (AAPL) changed its name from the American College of Physician Executives (ACPE) in 2014. We may have changed our name, but we are the same organization that has been serving physician leaders since 1975.

CONTACT US

Mail Processing Address
PO Box 96503 I BMB 97493
Washington, DC 20090-6503

Payment Remittance Address
PO Box 745725
Atlanta, GA 30374-5725
(800) 562-8088
(813) 287-8993 Fax
customerservice@physicianleaders.org

CONNECT WITH US

LOOKING TO ENGAGE YOUR STAFF?

AAPL providers leadership development programs designed to retain valuable team members and improve patient outcomes.

American Association for Physician Leadership®

formerly known as the American College of Physician Executives (ACPE)