Compliance in an Outsourced WorldHCCAApr2009FINAL

Compliance in an Outsourced World

Copyright 2009 Citadel Compliance

Group LLC 1

Compliance in an Outsourced WorldCompliance in an Outsourced World

HCCA Compliance InstituteHCCA Compliance Institute

April 26April 26--29, 200929, 2009

Karen D. WilsonKaren D. Wilson

Citadel Compliance Group, LLCCitadel Compliance Group, LLC

Dallas, TexasDallas, Texas

www.www.citadelcompliancecitadelcompliance.com.com

information@[email protected]

Copyright 2008Citadel Compliance Group LLC

TodayToday’’s Themess Themes

� Embedded risks in outsourced

functions

� New risks triggered by service

delivery models

� Rigorous transaction scrutiny is

needed

� Sustained oversight and

relationship management

� Healthcare outsourcing and

compliance risks

� Role for compliance personnel



Group LLC 2


LetLet’’s Define Our Termss Define Our Terms

Outsourcing

� Operations managed by a third

party

� Capital investment, service levels

� Innovation

� Technology & process

� Long-term relationship

Offshoring

� Foreign sites, local workers

� Labor rates, English-speaking

� Interdependent services

� Multiple countries & time zones

Outsourcing and offshoring are not synonymous.


Why Outsource?Why Outsource?

�� Reduce costsReduce costs

�� Drive innovation & technologyDrive innovation & technology

�� Redeploy internal resourcesRedeploy internal resources

�� Offload risk Offload risk && lowlow--value operationsvalue operations

�� Improve focusImprove focus

�� Access worldAccess world--class capabilitiesclass capabilities

�� Accelerate reAccelerate re--engineering benefitsengineering benefits

“Your mess for less””



Group LLC 3


New Services, New RisksNew Services, New Risks

Value-Added Services

» Logistics, Transportation

» Engineering, Animation

» Research

» Human Resources

» Medical & Legal Transcription

» Procurement

» Debt Collection

» Tax Services

» Records & Email Management

» Compliance


Compliance Risks Compliance Risks ---- Know Them When You See ThemKnow Them When You See Them

Industry-Specific

� Healthcare

� Banking, Insurance

� Securities

� Telecommunications

� Transportation

� Education

� Agency-specific



Group LLC 4


Compliance Risks Compliance Risks ---- Know Them When You See ThemKnow Them When You See Them

Industry-Neutral Laws & Regulations

� Data Privacy & Security; PCI

� Conflicts of Interest

� Kickbacks, Bribery, Fraud

� Government Contracting

� Securities & Insider Trading

� Employment & Labor

� Advertising & Marketing

� Intellectual Property; Software Licensing

� Antitrust, Fair Competition

� Consumer Protection; Regulations E&Z

� Export-Import

� USA Patriot Act

� Records Management & E-Discovery


Healthcare Compliance ProgramsHealthcare Compliance Programs

Areas of Focus

• Fraud, waste & abuse

• Physician referrals

• Kickbacks

• Data privacy & security

• False claims

• Patient rights

• Certification standards



Group LLC 5


Healthcare Compliance StandardsHealthcare Compliance Standards

Laws and Regulations

• OIG Compliance Program Guidance

• Federal Sentencing Guidelines

• Federal Anti-Kickback Act

• Federal False Claims Act

• PhRMA & AdvMed Codes of Conduct

• CMS Compliance Program Requirements

• HIPAA

• Healthcare Fraud & Abuse Control Program

• FDA Labeling & Promotion

• State laws


Healthcare Compliance StandardsHealthcare Compliance Standards

– Board oversight

– Designated Compliance Officer & Management Committee; Tone at the Top

– Written policies and procedures

– Training and awareness

– Monitoring and auditing

– Enforcement of standards through

disciplinary guidelines

– Systemic fix to core cause of breach to prevent future violations

Federal Sentencing GuidelinesSeven Elements of Effective Compliance & Ethics Programs



Group LLC 6


Healthcare Compliance EnforcementHealthcare Compliance Enforcement

Who Are the Enforcers?

� OIG Audit & Investigation

� U.S. Department of Justice

� FBI, Treasury Department

� Other federal, state agencies (e.g., Banking,

Insurance)

� Patients

� Interest groups

� Private litigants

What Do They Expect?

– Oversight of the program

– Reasonable knowledge of key risks

– Independence of compliance personnel

– Adequate resources, support


Healthcare Compliance and OutsourcingHealthcare Compliance and Outsourcing

Outsourcing and Healthcare Compliance

Identify outsourced services with embedded regulatory requirements

– Data entry

– Claims processing and payment

– Email and records management

– Data center

– Technology development

– IT operations

– Helpdesk

– Website hosting

– Client services, call centers

– Remittance processing

– Collections



Group LLC 7


Managing Compliance While OutsourcingManaging Compliance While Outsourcing

� Understand the outsourcer’s service model & data flows

� Examine closely services delivered partly or wholly from offshore

� Understand how and by whom a function will be managed by the outsourcer vs. the client

� Review policies and procedures & fill any gaps

� Identify critical employees and controls required to maintain compliance after a function is outsourced

� Prohibit the use of subcontractors for services with high compliance risk

� Address duties and liabilities in the contract in adequate detail; allow flexibility for future changes in the law and the client’s business

� Identify costs of compliance and obligations to pay

� Monitor and manage throughout the relationship


Where Are the Risks?Where Are the Risks?

Healthcare Compliance Risks

� HIPAA

� Fraud

� False Claims

� OIG Investigations, Audits

General Compliance Risks

� Data Privacy & Security

� Conflicts of Interest

� Intellectual Property & Third Party Software

� Antitrust (Teaming Agreements)

� Export-Import & USA Patriot Act; E-Verify

� Regulation Z and E; PCI

� Consumer Regulations; Red Flag Rules

� Government Contracting; FAR

� Electronic Discovery Rules

Services

• Claims Processing

• Data Entry

• Remittance

• Payments

• Data Center Operations

• Systems & Programming

• Helpdesk

• Website Hosting

• Messaging & Email

• Records Management

• Call Centers

• Human Resources

• Finance & Accounting



Group LLC 8


DonDon’’t Forget Risks From Outside Sourcest Forget Risks From Outside Sources

�Subcontractors & vendors

�Licensed software

�Mission-critical technology and licensed software

�Foreign laws & regulations

�Political & legal stability

�Environment & natural disaster

�Customers and patients

�Outsourcer’s stability (e.g., Satyam)


Compliance Needs a Champion!Compliance Needs a Champion!

� Value-added role

� Contracts surprisingly vague

� Rules and standards are needed

� Focus on process -- how, who &when

� Use experts

� Enforce obligations with audits

� Manage relationship for the long term

Documents

Compliance in an Outsourced WorldHCCAApr2009FINAL