While most everyone I speak with these days relies on the Centers for Medicare & Medicaid Services (CMS) Program Audit Protocol to review their compliance program effectiveness (CPE), it is imperative to review a compliance program through another lens.
The United States Department of Justice (DOJ) recently updated their guidance for prosecutors on the evaluation of a compliance program’s effectiveness. The three fundamental questions are as follows:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith (implemented effectively)?
- Does the corporation’s compliance program work in practice?
For anyone new to reviewing a compliance program, or if you are a compliance professional performing a self evaluation, the DOJ provides key considerations and questions to ask in order to make solid determinations on these questions. Tracer samples are one way to identify patterns, and that is core to CMS’ current methodology. However, I have discussed many of these DOJ-identified additional factors with clients recently:
- Risk Assessment: are resources devoted disproportionately to low-risk issues?
- Third Party Management: What are the actions and consequences of third party (vendor or delegate) misconduct?
- Culture: Do top leaders set the tone to encourage compliance? Does Compliance have sufficient seniority and autonomy to perform their duties, and has the organization allocated sufficient funds for the function?
I mentioned in a previous post that “we are most comfortable in roads we’ve traveled over and over, and therefore might be more susceptible to distraction.” If you are using the CMS CPE protocol every year, consider revising your methodology with some frequency. The industry’s methods and recommendations are evolving; make sure you change with the times. Enforcement actions will tell a story soon enough – do not become part of that story.