Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Compliance in an Outsourced World
Copyright 2009 Citadel Compliance
Group LLC 1
Compliance in an Outsourced WorldCompliance in an Outsourced World
HCCA Compliance InstituteHCCA Compliance Institute
April 26April 26--29, 200929, 2009
Karen D. WilsonKaren D. Wilson
Citadel Compliance Group, LLCCitadel Compliance Group, LLC
Dallas, TexasDallas, Texas
www.www.citadelcompliancecitadelcompliance.com.com
information@[email protected]
Copyright 2008Citadel Compliance Group LLC
TodayToday’’s Themess Themes
� Embedded risks in outsourced
functions
� New risks triggered by service
delivery models
� Rigorous transaction scrutiny is
needed
� Sustained oversight and
relationship management
� Healthcare outsourcing and
compliance risks
� Role for compliance personnel
Compliance in an Outsourced World
Copyright 2009 Citadel Compliance
Group LLC 2
Copyright 2008Citadel Compliance Group LLC
LetLet’’s Define Our Termss Define Our Terms
Outsourcing
� Operations managed by a third
party
� Capital investment, service levels
� Innovation
� Technology & process
� Long-term relationship
Offshoring
� Foreign sites, local workers
� Labor rates, English-speaking
� Interdependent services
� Multiple countries & time zones
Outsourcing and offshoring are not synonymous.
Copyright 2008Citadel Compliance Group LLC
Why Outsource?Why Outsource?
�� Reduce costsReduce costs
�� Drive innovation & technologyDrive innovation & technology
�� Redeploy internal resourcesRedeploy internal resources
�� Offload risk Offload risk && lowlow--value operationsvalue operations
�� Improve focusImprove focus
�� Access worldAccess world--class capabilitiesclass capabilities
�� Accelerate reAccelerate re--engineering benefitsengineering benefits
“Your mess for less””
Compliance in an Outsourced World
Copyright 2009 Citadel Compliance
Group LLC 3
Copyright 2008Citadel Compliance Group LLC
New Services, New RisksNew Services, New Risks
Value-Added Services
» Logistics, Transportation
» Engineering, Animation
» Research
» Human Resources
» Medical & Legal Transcription
» Procurement
» Debt Collection
» Tax Services
» Records & Email Management
» Compliance
Copyright 2008Citadel Compliance Group LLC
Compliance Risks Compliance Risks ---- Know Them When You See ThemKnow Them When You See Them
Industry-Specific
� Healthcare
� Banking, Insurance
� Securities
� Telecommunications
� Transportation
� Education
� Agency-specific
Compliance in an Outsourced World
Copyright 2009 Citadel Compliance
Group LLC 4
Copyright 2008Citadel Compliance Group LLC
Compliance Risks Compliance Risks ---- Know Them When You See ThemKnow Them When You See Them
Industry-Neutral Laws & Regulations
� Data Privacy & Security; PCI
� Conflicts of Interest
� Kickbacks, Bribery, Fraud
� Government Contracting
� Securities & Insider Trading
� Employment & Labor
� Advertising & Marketing
� Intellectual Property; Software Licensing
� Antitrust, Fair Competition
� Consumer Protection; Regulations E&Z
� Export-Import
� USA Patriot Act
� Records Management & E-Discovery
Copyright 2008Citadel Compliance Group LLC
Healthcare Compliance ProgramsHealthcare Compliance Programs
Areas of Focus
• Fraud, waste & abuse
• Physician referrals
• Kickbacks
• Data privacy & security
• False claims
• Patient rights
• Certification standards
Compliance in an Outsourced World
Copyright 2009 Citadel Compliance
Group LLC 5
Copyright 2008Citadel Compliance Group LLC
Healthcare Compliance StandardsHealthcare Compliance Standards
Laws and Regulations
• OIG Compliance Program Guidance
• Federal Sentencing Guidelines
• Federal Anti-Kickback Act
• Federal False Claims Act
• PhRMA & AdvMed Codes of Conduct
• CMS Compliance Program Requirements
• HIPAA
• Healthcare Fraud & Abuse Control Program
• FDA Labeling & Promotion
• State laws
Copyright 2008Citadel Compliance Group LLC
Healthcare Compliance StandardsHealthcare Compliance Standards
– Board oversight
– Designated Compliance Officer & Management Committee; Tone at the Top
– Written policies and procedures
– Training and awareness
– Monitoring and auditing
– Enforcement of standards through
disciplinary guidelines
– Systemic fix to core cause of breach to prevent future violations
Federal Sentencing GuidelinesSeven Elements of Effective Compliance & Ethics Programs
Compliance in an Outsourced World
Copyright 2009 Citadel Compliance
Group LLC 6
Copyright 2008Citadel Compliance Group LLC
Healthcare Compliance EnforcementHealthcare Compliance Enforcement
Who Are the Enforcers?
� OIG Audit & Investigation
� U.S. Department of Justice
� FBI, Treasury Department
� Other federal, state agencies (e.g., Banking,
Insurance)
� Patients
� Interest groups
� Private litigants
What Do They Expect?
– Oversight of the program
– Reasonable knowledge of key risks
– Independence of compliance personnel
– Adequate resources, support
Copyright 2008Citadel Compliance Group LLC
Healthcare Compliance and OutsourcingHealthcare Compliance and Outsourcing
Outsourcing and Healthcare Compliance
Identify outsourced services with embedded regulatory requirements
– Data entry
– Claims processing and payment
– Email and records management
– Data center
– Technology development
– IT operations
– Helpdesk
– Website hosting
– Client services, call centers
– Remittance processing
– Collections
Compliance in an Outsourced World
Copyright 2009 Citadel Compliance
Group LLC 7
Copyright 2008Citadel Compliance Group LLC
Managing Compliance While OutsourcingManaging Compliance While Outsourcing
� Understand the outsourcer’s service model & data flows
� Examine closely services delivered partly or wholly from offshore
� Understand how and by whom a function will be managed by the outsourcer vs. the client
� Review policies and procedures & fill any gaps
� Identify critical employees and controls required to maintain compliance after a function is outsourced
� Prohibit the use of subcontractors for services with high compliance risk
� Address duties and liabilities in the contract in adequate detail; allow flexibility for future changes in the law and the client’s business
� Identify costs of compliance and obligations to pay
� Monitor and manage throughout the relationship
Copyright 2008Citadel Compliance Group LLC
Where Are the Risks?Where Are the Risks?
Healthcare Compliance Risks
� HIPAA
� Fraud
� False Claims
� OIG Investigations, Audits
General Compliance Risks
� Data Privacy & Security
� Conflicts of Interest
� Intellectual Property & Third Party Software
� Antitrust (Teaming Agreements)
� Export-Import & USA Patriot Act; E-Verify
� Regulation Z and E; PCI
� Consumer Regulations; Red Flag Rules
� Government Contracting; FAR
� Electronic Discovery Rules
Services
• Claims Processing
• Data Entry
• Remittance
• Payments
• Data Center Operations
• Systems & Programming
• Helpdesk
• Website Hosting
• Messaging & Email
• Records Management
• Call Centers
• Human Resources
• Finance & Accounting
Compliance in an Outsourced World
Copyright 2009 Citadel Compliance
Group LLC 8
Copyright 2008Citadel Compliance Group LLC
DonDon’’t Forget Risks From Outside Sourcest Forget Risks From Outside Sources
�Subcontractors & vendors
�Licensed software
�Mission-critical technology and licensed software
�Foreign laws & regulations
�Political & legal stability
�Environment & natural disaster
�Customers and patients
�Outsourcer’s stability (e.g., Satyam)
Copyright 2008Citadel Compliance Group LLC
Compliance Needs a Champion!Compliance Needs a Champion!
� Value-added role
� Contracts surprisingly vague
� Rules and standards are needed
� Focus on process -- how, who &when
� Use experts
� Enforce obligations with audits
� Manage relationship for the long term