Episode 5: An Attorney Talks Compliance

Episode Transcript

CJ Wolf: Hello, this is CJ Wolf from Healthicity, and welcome to another episode of compliance conversations. Today, we have a wonderful guest, Nick Merkin, who is CEO of ‘Compliagent.’ Welcome, nick.

NICK MERKIN: Thank you. Hi CJ, how are you?

CJ WOLF: Good and you're joining us from sunny California

NICK MERKIN: I am, don’t want to make anybody jealous, but am looking out my windows and looking at the ocean from here.

CJ WOLF: Very nice, I am jealous, I will have to come out and see you. We really appreciate your time, Nick, and before we actually get into talking about some of the questions that I wanted to ask you, could you give our listeners a brief introduction about your background. I know you have a unique background professionally and then tell us a little bit about what you’re doing right now.

NICK MERKIN: Sure, so I am a lawyer by training and by background. I spent the first nine or 10 years of my career practicing healthcare law, primarily in litigation, sort of a compliance-related or government enforcement action litigation defense. About four or five years ago now, with a couple of co-founders, I started a healthcare compliance consulting firm designed to build out compliance programs and compliance infrastructure for healthcare providers. So, we work with a variety of different kinds of providers all around the country, we have a big practice as opposed to care space but also with many sorts of ancillary providers and some of the more traditional ones, like physicians and hospitals as well.

CJ WOLF; right and the name of the group is ‘Compliagent, right?

NICK MERKIN: That’s right.

CJ WOLF: Oh very good folks, you will have to check that out. Well, you know one of the reasons that I wanted to have you on as a guest,  number 1 is you are a great colleague and you have a lot of experience in compliance, but your background is unique. As you mentioned, being trained as an attorney, and I was wondering if we could kind of start by chatting a little bit, because a lot of folks in compliance come from different backgrounds and a big chunk of folks come from the legal field or legal profession. I was wondering what your thoughts were, given that a lot of organizations have legal departments and we are seeing compliance departments sometimes reporting to legal or separate and we see all sorts of variations, in your mind, how is a compliance function different from the legal functions in an organization?

NICK MERKIN: Right, it’s a good question, and I mean, stepping back from the question for second, it’s important to realize that compliance as a discipline or compliance as a profession or an independent function, is relatively new and obviously relatively new with respect to being an attorney or being a lawyer, so to some extent I think the question that you’re asking as gone through some evolution in ………. Unclear audio …..[3:19.5] ratio over the years, you know, it wasn’t until the late 90s that the OIG came out with compliance program guidance and started recommending. And you know, more recently demanding or making mandatory that healthcare providers or at least healthcare providers that are getting government money have proactive compliance programs. The discipline is new and the question is new. I think in a lot of people’s minds, even if you ask people who are working compliance, or the people who are working as General Counsel or outside counsel or within legal departments of healthcare providers, what the difference is. I think you'll probably get a dozen at least different answers, but the way I look at things is a chief compliance officer or the compliance function is really a management function. Know there is a legal background to the functions certainly, but really it is something… I think when compliance is done well and done correctly and done in cooperation and conjunction with the legal function, compliance is really focused on the processes and infrastructure of the organizations. So in some respects, it really looks at the regulatory and compliance backbone of an organization for example. Policies and procedures, getting those where they should be with the clarity they need and you making sure that an organization has what it needs, education and training, making sure that staff training as it relates to compliance issues you know whether it’s anti-kickback or a billing and coding question or HIPAA, that everybody within the staff of a healthcare organization is where it should be. Auditing and monitoring, hotlines and investigations they are ancillary to that and then reporting directly to the C-level personnel of the organization or being a C-level person in the organization but reported to the governing board. By contrast, the legal function, which is very important and equally important is to give legal advice. What you’re asking your General Counsel is, "I have particular business objectives that I want to reach, tell me the way that I can do it legally?" And I think there’s certainly overlaps in cooperation that is necessary between those two jobs but they really are very much separate and distinct and really coequal

CJ WOLF: yeah that’s great insight ....along with that, so that is a good answer for how the functions in an organization is different maybe we can talk about the skill sets or the  personality or the thinking patterns, you know you are trained as an attorney and a lot of attorneys think a certain way. How is the thinking of an attorney a little bit different than the thinking of a compliance officer? I mean you mentioned management vs. maybe a legal analysis but are there any other thoughts on that?

NICK MERKIN: yea probably the best way to talk about it is to give an example, you know to take something that is sort of discreet and everyone would understand, Let’s say a HIPAA breach. So as an attorney if I was looking at the problem of a HIPAA breach and somebody from my organization/ my company comes to me and says I think we have a breach let’s sit down at the table what to do next? so you are sitting at the table and the general council is there and the chief compliance officer is there, so if I am the general counsel, the immediate and the most important question that I would be asking is about liability, you know, what should we do next to minimize our liability or......unclear audio [   ] asking the ............. [  ] question of why is there a breach, you know if there was a breach what are my legal obligations to do next?

CJ WOLF: Right

NICK MERKIN: what are the ways in which I can mitigate the legal liabilities that might arise or ensue from this potential HIPAA breach?

CJ WOLF: right

NICK MERKIN: You know, if there's going to be litigation or some kind of enforcement issue that arises out of the HIPAA breach, how do I defend that, how am I going to successfully defend that?

CJ WOLF: Right

NICK MERKIN: So, I would say by contrast, a compliance personnel or a compliance officer is going to ask a sort of different set of questions, some of it, again as I was saying before, is systems and prophecies. So they might look at this and say well, why did this breach happen, is it because our policies and procedures were unclear? Maybe, let’s say it was a staff member who made a certain mistake with inscription or security. Was that not clear? And the next question is, was that person trained properly, is this a potentially greater problem waiting to happen because there are others who are not trained properly, how can we determine that? Maybe we need to audit our training, maybe we need to figure out the skill levels of our staff, maybe we need to sit down and take a look at those policies and procedures and figure out how to solve them.

CJ WOLF: Yeah

NICK MERKIN: So, I think you know all of those are very legitimate questions to immediately ask when you are faced with a HIPAA breach and all are important to answer but I think that the two different functions maybe are looking in the immediate future more sharply at what’s in their domain

CJ WOLF: Yeah, would you say compliance focuses a little bit more on prevention or is that not a fair statement?

NICK MERKIN: Yeah, yeah, definitely

CJ WOLF: Yeah, okay.

NICK MERKIN: Definitely, yeah, when I think back to my experience as a healthcare attorney and particularly as a litigator what I always tell people is, to a certain extent it really reactive vs. being proactive.

CJ WOLF: Right

NICK MERKIN: And since I talk to a lot of people in the healthcare world I usually say preventative medicine vs. the emergency room

CJ WOLF: Right

NICK MERKIN: Both are really important you want to have really good doctors in your emergency room, and you …….. [09:57.1] emergency room as an attorney, I was trained and my day-to-day functions was to react immediately to a situation that had arisen, you know, I might have some thoughts on how it might be prevented in the future but that really wasn’t my role, my role was you know to put out the fire to resolve the immediate danger...

CJ WOLF: Yeah.

NICK MERKIN: And the immediate problem, as a compliance officer, I look at things much differently and like you’re saying I’m really looking at proactively how can we prevent compliance incidents from occurring in the first place?

CJ WOLF: Right, yeah, that’s kind of what I have experienced. Obviously as you have said before, there is a lot of overlap and there are some of these characteristics in both fields. One of the things that I believe we are seeing a little bit more of, you referred to it with the OIG or the government mandating the compliance program under like a corporate integrity agreement, for example. Actually, this is been the case for years corporate integrity agreement documents get published, the OIG will specifically say you must have. They outline the seven elements of the requirements that they are going to require in that organization but when they get to the designation of the compliance officer they will frequently have language in there that says something like, the compliance officer cannot be general Counselor they should not be subordinate to General Counsel or even subordinate to the CFO. They’re trying to avoid some conflicts. What are some of those potential conflicts that could exist if the compliance officer were also General Counsel or subordinate to General Counsel?

NICK MERKIN: Yeah, great question, and I’m not suggesting that this would definitely happen and am certainly not singling out any particular experience that I have had but I think it goes… The answer to the question really goes back to what are the different concerns of the compliance officer and General Counsel, to give an example of the conflict in that HIPAA situation that we were just discussing it very much could be that the General Counsel would discourage certain kinds of remedial actions such as immediately increasing training, immediately changing policies and procedures or even immediately terminating or disciplining the employee in question because they would be looking at things from the perspective of legal liability and saying well that just doesn’t  look good

CJ WOLF: Yeah

NICK MERKIN: That may be problematical... that somebody might raise that issue in court and you know it’s almost an admission of guilt, the compliance officer is going to feel very strongly okay this happened lets figure out how to make sure it doesn’t happen again, and again both are valid concerns and both need to be balanced….

CJ WOLF: right.

NICK MERKIN: but that’s why they really need to be co equal and one not subordinate to the other.. that decision really has to be made of how to balance the sometimes competing concerns of compliance. The legal function really has to be made by the quarterback who is the CEO or the governing board.

CJ WOLF: yeah that’s a good point. Let me shift gears a little bit… and you know you’re in the business now where you have to convince them, both of us are in this area, you have to convince folks that it’s wise to have a compliance program right? We know that compliance programs are cost centers, they don’t generate revenues for organization so it’s sometimes a difficult pill to swallow, but you know a lot of us talk about compliance programs kind of an unofficial insurance program, maybe against enforcement actions, or if you get an enforcement actions you may be able to demonstrate that it was a one-off or a bad apple that….

NICK MERKIN: right

CJ WOLF: Your culture is good. What are your thoughts about selling compliance that way, is it a preventative measure is it insurance in a way what are your thoughts about that?

NICK MERKIN: That’s a really good point and you know getting back to where we were discussing in the beginning of compliance being a relatively new discipline I think  that only underscores how difficult it is sometimes to sell a potential client or even a current clients on investing heavily in compliance, because historically it isn’t something that in years past many organizations have devoted a lot to, but you’re absolutely right  it’s really hard to make an argument that devoting more resources to compliance is  going to be a big revenue stream you know that certainly for sure, but to me it really all comes back to return on investment and sometimes that return on investment is a mitigation of risk and you know, not getting too deeply into the statistics within the healthcare market The current return on investment for every federal dollar that goes towards compliance enforcement is over 7-1 so that’s a pretty high return on investment for the government….

CJ WOLF: Yeah

NICK MERKIN: and again maybe it’s even higher if you’re a plaintiff’s attorney or a class-action attorney.

CJ WOLF: right.

NICK MERKIN: so you really have to look at {undoing what my organization } if my organization is doing what it should be doing in terms of compliance that risk number is going to be mitigated.

CJ WOLF: yea

NICK MERKIN: a couple months back I had lunch with someone who is a former assistant US attorney for healthcare enforcement and she has since moved on to something else but one of the thing that she mentioned to me is, you know when we go in… when investigators go into health care organizations and start asking questions and start looking for things what they’re really looking for is compliance chaos. So an innocuous claim is something that is a seemingly an innocuous question which may be hey, can you show me records of when was the last time you train your staff on a particular issue? and maybe you even did it but you don’t have the documentation to prove it, nobody really remembers where the compliance file is or they asked oh can I see your policies on something?  Well, the person who really knows where that is on vacation this week can we get back to you? What she said to was, “when we see that it’s almost like where there’s smoke there’s fire”…

CJ WOLF: yea

NICK MERKIN:  there is chaos there and if I’m not going to get you on your HIPAA policy being inadequate, then I’ll get you on something else because I know an organization that started giving me answers like that, there is going to be compliance issues there that I can go ahead and prosecute. In contrast when I walk into somewhere and this is you know I think is really where compliance manager and …….. [17:06.2] becomes ….. something that I recommend to my clients is being able to have all of your compliance function organized you know really at a finger tip literally and figuratively, anything can be pulled up and audit you did 2 years ago, a training you did six months ago, who attended a policy that was revised you know a year ago, who signed off on it and who was there at the policy meeting? Being able to pull that up is worth its weight in gold because that’s going to make whether it’s a class-action attorney or a government investigator go across the street to go investigate somebody else…

CJ WOLF: Yea

NICK MERKIN:… because it’s not there. Look and I can tell you as someone who has defended those kinds of cases in sort of my previous role. being able to defend a case where a client can hand over to me all that evidence you know in seconds I can make that case go away much more quickly and much more cheaply than I could if I have to start digging and digging around for things.

CJ WOLF: yea that’s a great point, you know as a compliance officer as somebody who did not have a nice tool to help me manage the program I had to rely on going to my sent items in an email and all sorts of manual processes trying to… yea I know I did the work I know I did the training I know somebody respond but is it all in a nice easily retrievable system and I think you’re right the more organized you are the more organized you will appear because the appearance will reflect what you really are which is organized and taking compliance is a thoughtful role within the organization and not really an afterthought so thanks for that.  You know one of the other things that I know you and I have talked a lot about is talking to folks who have compliance programs and this concept of is it ineffective? We have a compliance program and you could ask somebody. "Yeah, I got one" means they have a binder on the shelf with policies and a named compliance officer but is it really effective? Are there fruits of the labor so to speak and you know the term compliance program effectiveness review comes up. What’s the way? and these can be done both internally and externally let me start first with kind of the internal side of things, how would a program go about measuring themselves and looking in the mirror so speak and determine if there programs effective?

NICK MERKIN: So, the first thing I would say, you kind of alluded to internal and external, well any organization whether you are relying on outside help for compliance or whether you are relying on…No matter how formal or informal, your compliance function within your organization should be constantly evaluating and testing the strength of their infrastructure. A lot of people forget that being in compliance, quote unquote, "is not for a moment in time." Having good policies and procedures doesn’t mean I have this book on my shelf that never changes, and even compliance programs themselves with the clients I work with we don’t own we…………unclear audio… [20:37.7] Compliance program on a yearly basis we re-evaluate that you’re semiannually at least and often much more frequent than that. you know there’s a constant back and forth of you know this month versus next month a lot of you know your issues of risk concern might change.

CJ WOLF: Yeah

NICK MERKIN: so you know the first answer that I Would give you is you should always be looking at your compliance effectiveness and one of the best ways to do that is by having an outside third-party organization come in and give you an objective you, and I think that goes a long way because I think internal like we all know even with our own selves internal introspection whether it’s personal or in an organization can be difficult

CJ WOLF: Right

NICK MERKIN: There is a little bit of politics involved, nobody wants to be overly critical of the personages they just went to lunch with the day before or the barbecue you just had on Sunday afternoon. So, it can be really helpful to get a fresh set of eyes, not only because a lot of times there can be someone that brings expertise to the table that someone internally in your organization might not have, but because it can  give you little more independent and objective view. That’s going to be more highly valued within your organization and also frankly more highly valued outside of your organization when you may have to justify at a certain point how effective your compliance program was.

CJ WOLF: Yeah, some of these corporate integrity agreements and settlement agreements that  I read the mandate, like an independent third-party, to do a program review of some sort and why should we wait until we’re mandated to do something? Right, to me that’s a good sign or symptom or evidence that we should probably do some of this proactively on our own to avoid the circumstances that led another organization to be mandated to do it. It’s kind of like we should take our medicine so to speak. When you were talking, the thing that came to my mind, I think a lot of us as individuals have done maybe call 360 evaluations where  in your in your job, you are going to have an annual evaluation, and you send out blindly or at least the response is anonymous to interview four or  five people that you work with within the organization. And they give you anonymous feedback, like you were saying, a separate set, you know as an individual, I think am doing this well but when four people tell me that you could do better in this area, that should make me stand up if I’m serious about trying to improve myself. I agree with you, I think an independent compliance program effectiveness review, at least periodically, can give you kind of that gut check. It can let you feel like, "yep am kicked in the tires and looking under the hood and it’s not just me doing it I have a qualified mechanic who is going to come in and look at that."

NICK MERKIN: Exactly yeah

CJ WOLF: You know with somebody like yourself I think the value as well is somebody like yourself if you are doing that for 200 clients across the country you’re going to be able to give a client real advice to say you know what I do this all the time and these are the best practices these are some of things that are missing, do you do see that in your work?

NICK MERKIN: Yeah, definitely. I always tell my  client that I learned as much from them in their practices as they do for me. You really learn a lot going into an organization for the first time doing a compliance effectiveness review, and trying to get in and provide some compliance guidance by seeing what they  have  done until now, some of their best practices and procedures. Then be able to compare and contrast that with what you have seen about around the country.  I think that is really important. Another important thing to realize for organizations is,  in getting compliance help is not all or nothing. You may start off with a greater amount of help in a  compliance effectiveness review  or you may say, hey, I'm a small organization and this is my first time doing it.

Or, you really do have some good staff, and work out a way to get that help, but really, you have a lot of your internal staff taking the labor on the internal auditing and monitoring and that can work really well that can save costs. So, I think one of the conversations that I often have with clients is, sometimes there’s a perception that, oh well, I'm not a fortune five 500 organization, I don’t have hundreds of millions in revenues, I can’t really afford some of the things that you’re proposing. And, the answer to that is, really that’s most likely not the case, compliance is scalable and providing compliance guidance is scalable

CJ WOLF: Yeah

NICK MERKIN: And, there are ways to do things that are going to get organizations a lot of return on their investment.  From a compliance perspective, it doesn’t have to break the bank and you know… really are focused and cognizant of their bottom line.

CJ WOLF: yea you know and to that point  we see, of course, we see  these large settlements enforcement actions with big numbers with big organizations but I’m seeing more and more even the smaller ones, let’s say if there is a whistleblower for example government is not going to not investigate that  right, because the entity is small and you know the Yates memo says that individual accountability is going to be a little bit more in the focus and we’ve seen that at least anecdotally and so just as compliance is scalable enforcement is scalable too right?

NICK MERKIN: yea definitely.

CJ WOLF: It’s not just the big guys that are going to get hit potentially

NICK MERKIN: Yeah, that’s definitely true and you don’t have to go much farther than Google or even the OIG’s website and look at examples of enforcement action and settlements and penalties by organizations you know big and small.

CJ WOLF: Yeah yeah, you know, when you were talking about your experience with clients does anything comes to the top of your mind as to some of the best practices that you have to see in some effectiveness review that you have done or are there trends or is it just really unique to the client?

NICK MERKIN: There are a couple of things  that I can  probably  point to. One thing to mention, before even answering  that, and this is somewhat connected to our discussion earlier, of  impressing upon organization the importance of compliance. What we're discussing is really hard to sort of attribute a dollar value, to having a good regulatory compliance organization. But, I will tell you that in my experience. Often times, I get involved or we as compliance agents get involved with an organization in a situation where  they are  having some challenges, whether those challenges are coming from a whistleblower or some enforcement pressure or  litigation. They are in a sort of transitional  period and very often as we helped those organizations work through those challenges a lot of the feedback I hear from employees is how much happier they are and motivated and inspired and how  positive they are about the organization in which they are  working because they say, "Wow! This is an organization that is responsive to me, that listens to me, I don’t have to worry, it truly is a culture where if I have the concern the door is always open though the hierarchy for me to raise it." I do think you can really draw a direct line to profitability in an organization like that because your staffing and having a great firm culture can be worth millions without putting too fine a point on it.

CJ WOLF: Yeah, well, that culture  that could maybe ….generated could be originating from a compliance culture could spread to other areas right like maybe people  feel  safer in talking about product innovation  or new model  of care,  I think you’re right,  compliance is one thing that can add to a culture that is safe and creative.

NICK MERKIN: Yeah, and I will answer and give you one example as to the previous question you asked about some of the best practices. I will tell you something in my experience, having an effective hotline really a line of communication and then a subsequent grievance resolution procedure for both your patients or your residence or whoever it might be, but also for your staff really, really, is something that gives you a lot of bang for your bucks so to speak. I think it’s something that takes some work, but it isn’t that difficult to do. What I see, the results in risk mitigation, is that you can get from that, because what you really trying to accomplish is that if there is someone with concerns with the organization and sometimes they are compliance related and sometimes they are just HR related and it might be a staff member complaining about their shift and feeling that they might have been mistreated by supervisors something. A lot of time what I’ve seen is giving an employee or a patient or customer or a resident and Avenue to vent to so that they don’t wind up complaining to their neighborhood plaintiffs attorney

CJ WOLF: Right

NICK MERKIN: Or possibly even worse, calling up the government agency but bringing a problem to you as the organization so that you can resolve it. You know, I think it does so much in terms of risk mitigation, it does a lot in terms of just customer service. I think when people ask me, hey, have got a really limited amount I can spend on compliance, where should I focus my efforts? I always tell people right there that giving people a real, valid address, to voice concerns, and then being really serious about addressing them and resolving them is a really great first step.

CJ WOLF: yeah you know I think you’re right, the bang for the buck there is pretty impressive because you got essentially when you have effective lines of communication you’ve deputized a whole workforce with compliance eyes right? so it’s not expensive to kind of have those open lines of communication and rather than spend a lot of money on proactive data mining, not that these things aren’t important but if you’re limited spend a lot of money on data mining and heavy audits when you’re not paying attention to the people who are inside the house, to begin with, who of already seen some of the problems we your spending money and time and energy on things where there are some low hanging fruits with employees and with open lines of communication like a hotline.

NICK MERKIN: Yeah, that’s a great way to put it.

CJ WOLF: Yeah, well Nick I want to give you an opportunity if you have any last minute comments but as we wrap up here I really enjoyed talking about this you know, and I really appreciate your unique perspective as one who has been trained as an attorney and worked in the legal field but is now both feet in the compliance world and helping clients with compliance. Do you have any parting thoughts or last minute comments that you like to give us

NICK MERKIN: Something just to close with, is the philosophy of compliance that I think really drives Compliagent as an organization, and me personally, as something I really feel strongly about. That’s really the realization that effective compliance is when it’s done right. It’s both a shield and the sword, and what I mean by that is most people, when they think of compliance, they say to themselves, "well okay it may help me identify things that are wrong and then I’m going to fix them," and that’s truly important and that is sort of the sword aspect of things but I think that people, and maybe some of this comes from my attorney background, I mean sort of a defense-oriented background, is compliance is also a great shield. It really allows you to document to everyone, including your own organization, which I think is important but obviously to the outside world as well, just how much you’ve invested and how hard you are working for a compliant organization. A lot of that has to do with proper documentation and proper organization which is really the cornerstone of compliance. What I tell people is, if you can't find proof that you have done something easily enough, then you almost might as well not have done it. Because you’re never going to be able to show the world or show your own employees how hard you’re working, that you have done it. I would encourage organizations to be very open internally on that note with how hard they’re working and how important that compliance culture is because I think you know that is going to payback dividend that makes your organization not only one with the lower risk profile but the better business, and a more profitable organization. At the end of the day, that is what it’s all about.

CJ WOLF: yeah, well folks there you have it from the compliance warrior himself Nick Merkin the shield and the sword. I like that analogy, Nick. Good image thanks so much for your time.

NICK MERKIN: well thank you it’s always great spending time and speaking with you and looking forward to collaborating you know as you have done in the past even more in the future

CJ WOLF: great thank you Nick and thanks to all our listeners will who have listened to this episode. Please join us again for next episode of compliance conversation. Have a great day

End