Borrowing Compliance Best Practices from Other Industries

What do the housing, automotive, technology, and healthcare industries all have in common? Compliance programs and professionals!   

Borrowing best practices from other businesses is a vital strategy for evolving healthcare compliance programs. That’s why we invited Asha Muldro of Guidepost Solutions to chat with us for our latest episode of Compliance Conversations, “What Can Healthcare Compliance Programs Learn from Other Industries? 

Asha has seen it all during her 20-year career in compliance, working as a federal monitor for General Motors and the New York City Housing Authority, and even as a federal prosecutor.  

Join Asha and CJ Wolf, MD, for a fascinating conversation that includes insights on: 

  • Cultivating a “speak up” company culture  
  • Integrating data analytics into your compliance efforts 
  • Finding and leveraging Compliance Ambassadors in your organization 


Listen Now >>


You don’t want to miss this fascinating conversation – Asha's incredible background has given her unique insight into compliance, enforcement, and remediation efforts. She’s a leader in her field and we’re so grateful she took the time to talk with us! 

Listen Here

Episode Transcript

CJ Wolf: Welcome everybody to another episode of Compliance Conversations. I'm CJ Wolf with Healthicity and today's guest is Asha Muldro from Guidepost. Welcome, Asha.  

Asha Muldro: Thank you, thank you for having me CJ.  

CJ Wolf: I'm so excited to have you here as a guest Asha, because I know you have an immense amount of work experience in compliance. And for our listeners, Asha has a lot of experience outside of healthcare as well.  

I know you're doing work in healthcare too, but we can learn so much as an industry from what other compliance programs are doing, and so that's what we're going to try to focus a little bit on today. 

And I want to remind all our listeners as well to please subscribe to the podcast so that you don't miss future episodes and if you like the sessions and the episodes, please hit the like button and give us a little bit of love, that helps others find the podcast when they're searching for compliance and those sorts of things.  

So with that Asha, we'd love to have our guests just start by telling us a little bit about your background. Where you came from? what you were doing before? and what you're currently doing.  

Asha Muldro: Sure, but before I begin CJ, I just wanted to tell you, I am so honored and privileged to be here with you. I am in your professional fan club, so I know that you are just one of the preeminent national experts for healthcare compliance and so it's an honor to be here with you today. Thank you so much for the invitation.   

So, I like to say that I am industry agnostic. I do compliance and internal investigations in any industry. So, I have deep expertise in the automotive industry, healthcare, universities, you know big corporate. You know some of the biggest corporations in the world, too small not-for-profits, whoever needs compliance assistance or internal investigation assistance, I like to help. And I have enough information about varying industries to know that I can help in a holistic way, but I need to bring in deep subject matter experts depending on what the industry is as well. So, I know enough to know when I need more help.  

CJ Wolf: That's a good skill, quite frankly.  

Asha Muldro: So, it's been a lot of fun. It's funny, I've kind of been wearing a compliance advisor hat for 20-plus years before we were even calling it such. But typically, when I've always been in the space in my legal career, where I've been in white collar internal investigations space. So a lot of times when regulators are looking at a particular company or institution, the thought is, well, how do we really clean up or bolster our compliance department and processes? etc. So, I've been pretty much wearing this hat for decades, even those had different names.  

CJ Wolf: That's great, do you mind telling us a little bit about yourself?  You mentioned your legal background. Did you just start working in compliance? I think you have some other enforcement experience too, right?  

Asha Muldro: I am an attorney by training. I've been practicing for over 20 years. I began my career at Latham and Watkins, doing internal investigations and compliance work, there I had a lot of major healthcare clients — including tenants, healthcare, et cetera. And was deeply embedded in hospitals and hospital systems as it related to really bolstering their posture as it relates to department inquiries. I started there many years ago.  

Then I went to the US Attorney's office as a federal prosecutor for seven years in the Central District of California, again doing a wide range of prosecutions ranging from healthcare fraud to cybersecurity to major drug cartels, so a full range of prosecutions, human trafficking, you name it, I did it. I was there for seven years, so it was busy, particularly in LA. 

Then after that, I was a partner at a litigation boutique where I helped to build out their white-collar investigations practice, before I got tapped to come over and lead the LA office of Guidepost Solutions where I specialize in internal investigations, compliance and monitoring, particularly in the compliance space. And one of my very first projects and I can mention it because it's public, we were the federal monitor for General Motors and I helped them with their redesign and compliance program assessment, as it relates to building out a really robust compliance program with them.  

And we're currently also the federal monitor for The New York City Housing Authority, NYCHA, and building a brand new robust 3-department compliance program for them. And then, you know, the assessment, working with the residents who are constantly keeping them accountable for their failures. 

I'm currently working with some of the biggest corporations. I had a recent, really interesting project where I was asked to do a benchmarking exercise where I got to talk to the chief compliance officers at Google and Netflix and Disney and Amazon and Walmart. It was really exciting. I will share some of the innovative things that they're all doing and trying to really be proactive in the compliance space.  

CJ Wolf: That's so great Asha. And I just want to point out to my listeners, what an honor it is to have somebody with your background, because I think in healthcare, sometimes we just get so focused on healthcare compliance and talking to other healthcare compliance professionals we forget that compliance programs are everywhere and there can be best practices gleaned from all of those organizations. 

Part of the reason I'm so excited to speak to you is that you have seen multiple clients. A lot of us might spend 10 years at one organization and we only know the details of our one organization, so some of the questions and topics we're going to talk about today are things you've observed as best practices, what to do, what not to do, that you've seen over probably tens and hundreds of clients potentially. So, thank you for sharing a little bit about that.  

Asha Muldro: Correct, thank you.  

CJ Wolf: Let's jump in, what would you say? What are some of the initial things that we can we in healthcare can learn from kind of non-healthcare or even you know you've worked with healthcare clients too, what are some of those best practices you've started to see?  

Asha Muldro: I'll start with the premise that a lot of corporations, big or small, learn a lot from healthcare because, obviously, it's a highly regulated industry. Healthcare has been really embedded in compliance and best practices, long before some of these other companies really started paying attention to it.  

So when I started in the industry I used to say, particularly in corporations, “they had two types of compliance departments, the one where it was just window dressing, where the compliance officer was just there to sit and look pretty and then the other type, where they were really proactive in trying to do risk mitigation work.”  

But what I'm seeing because of the Department of Justice's emphasis on having a program that's really the latter, having a robust compliance department, that's tested and effective that's becoming much more of an expectation. You can't just have a compliance department on paper anymore. 

And what a lot of companies, institutions, universities, and hospitals are doing, is really taking a moment to take stock of their compliance department. So a lot of times I'll come in, either they have a new CCO or a new GC, or perhaps there is an inquiry or a complaint that came in or something that they're saying, “let's take stock of our compliance department. Is it really effective? Let's do an independent assessment.” 

And what I'm finding when I'm looking at these companies One; they're already ahead of the 8 ball, just trying to be proactive about how to be smart about compliance. So, a lot of times they've already employed creative strategies.  

One of the things that I'm in preparation for today I took notes of some big categories that I'm seeing there is a lot of creativity in this space. One is around data analytics and really using all of the inputs that you can get from big data to inform your compliance department and your audit and risk assessment process, and we can get more into that I have a lot of thoughts about data analytics.  

But one of the things I'm seeing is that a lot of, it's particularly, the well-resourced, bigger corporations, are adding data scientists to their compliance department. And that is something that is a new trend that a lot of savvy compliance departments are doing and adding headcount for data scientists, either in their compliance department or in their audit department, or some combination to really help mine the big data. So, that's an interesting trend and we could talk more about that.  

And then, as I alluded, just really being proactive in their internal investigations, because the department is expecting, frankly, that if there is some wrongdoing that you will be timely and robust in your delivery of documents and evidence to the government, particularly as it relates to individuals, that's an expectation now.  

So it's not enough to just sit back and wait for the government to do their investigation, you know, at first with savvy compliance department is going to really want to know what's going on. So a lot of times I'll be brought in to do those proactive investigations just when something smells wrong so that they know whether or not they need to do disclosure and self-disclosure is now more of an expectation. And we've been talking about self-disclosure a lot probably since 2015, but I'd say since the 2020 guidance and reemphasized in the department, September 15th, 2022 guidance, that really is an expectation from the government. 

I’ve worn that hat for so many years, I'm really sensitive to making sure you know you convey to the government that we are cooperative and that we are really a partner because, frankly, a lot of times the entity is a victim as well. So, you really want to have that posture and be proactive in your investigations and fact-finding process. And similarly proactive with your compliance assessments, because you can't really hide it in ignorance “Oh, well, you know we didn't know.” You really need to know if your compliance department proactively finding, rooting out, supporting, educating, and training all those things to really be effective. So a lot of times we'll come in and do that test against the seven pillars to really see where the compliance strengths and gaps are. 

One of the things I'm seeing a lot of creativity around is incentivizing the speak up culture, really having a culture of compliance where every single employee feels that it's their sacred responsibility to speak up, that might have 8-9 people in your compliance department, but every single employee really has the responsibility to, you know, “If you see something, say something” kind of things. 

It's one thing to have those slogans and posters and force someone to stand up, you know, wants your training program to say it, but to really walk the walk and talk the talk, I'm seeing a lot of creativity around that space as well. And sometimes that's through compensation, you know, really incentivizing compensation around a rewards program for having people speak up because you'd much rather someone speak up to their compliance department, you know, get a $100 gift card then run to the government and give them the case.  

So, really having creative programs, I'm seeing a lot of use of compliance ambassadors. Because no matter what space you're in, from the biggest corporation to a not-for-profit to a hospital to a university, there's one universal complaint we do not have enough resources in compliance. 

CJ Wolf: That's right. 

Asha Muldro: So it really becomes a force multiplier to have really well-respected leaders in different parts of your hospital system or corporation or university, to really be your compliance champions, and so they're called different things; Compliance champions, ambassadors, you know, whatever the name, the concept is the same that you know you have these trusted leaders who are also trained in compliance and feel that they have a responsibility to really be ambassadors of integrity throughout the organization. And a lot of times they're rewarded in different ways. Sometimes it's the public recognition from their CEO, sometimes it's financial or it could be something that works well. A lot of times it's purely voluntary, and you know everyone's already wearing enough hats.  

But you know just the selection of, you know, these are people who are seen as leaders in the organization and this is a reward to also be, you know, selected as a compliance ambassador for the organization. You know, a lot of times just the ego boost is enough for the extra, you know, the star on the door.  

But sometimes companies are being creative with their performance metrics and you know, really instilling; “how do we incentivized in annual or even more frequent performance assessment,” you know if someone is really stepping up to the play in these different things, so seeing a lot of creativity for being proactive, having proactive compliance management, and you know, it's like Benjamin Franklin's anecdote, “Ounce of prevention is worth a pound of cure.”  

CJ Wolf: Absolutely. 

Asha Muldro: So, I think savvy compliance departments are really being creative and proactive. The thing is It's, you know, multifaceted. So how can you really have a multifaceted approach? Putting in all of the pieces to really make your program strong and have as many inputs as possible. 

So, I spend a lot of time, but whenever I'm interviewing CEOs and they're telling me, "Oh, we have this program or we're doing that." Like, "yes," that's perfect. Those are the creative things that really bode well for a compliance department. And also frankly, look good, if a regular does come knocking because they see that you're really trying.  

CJ Wolf: I really liked kind of your first one of your first comments about data analytics. We've seen in healthcare, so you know, I have attended some of these kinds of healthcare compliance conferences and HHS, and OIG will often speak there. And the current Inspector General spoke about data analytics, which was one of her major points. They have a whole division doing it.  

Asha Muldro: Right! 

CJ Wolf:  Well, that should tell us we should be doing it as well. As you mentioned, none of us has unlimited resources in the compliance department. We don't want to do random if we don't have to do random. So if we can drill in and say, you know, I'll give you an example. I've used this before Hyperbaric oxygen therapy, OIG was looking at it. It's a certain number of codes and they were concerned with a certain number of units being reported per session because it had a time-based element. Well, do data analytics. Find that code, and meet the people in your revenue cycle teams. Find those codes, drill down and then audit there. So, you're not doing kind of a shotgun approach.  

Now I know sometimes that is probably done and has to be done, but I think this data analytics approach is really important. How have you seen others use data? 

Asha Muldro: Well, there are a couple of ways. A lot of times, and a lot of times in the space I work with because we might be coming in to do an internal investigation. It might be like you said, you know, hey, this is an area, let's drill down on the data in that way and see what it tells us. And that's a great use of data analytics to be useful in an investigation. A lot of times that comes after the fact.  

A lot of times what I'm seeing and encouraging institutions to do is really be proactive with the data analytics like to have certain things kind of always running in the background to give you real-time information fees. And it doesn't need to necessarily always distill into the official printouts. Even things like invoices and emails or different things can be really important data inputs that you're mining and then like you said to be targeted when you're doing your risk assessments. Also, do your data assessments, you know, It's kind of garbage in and garbage out if you don't have really good data around a particular area, then you might get false positives, or you know anomalies, then you have to have human time to really figure out what does this mean.  

So a lot of times I will say, this even being proactive in the fact that you're going to be using data more for empirical and qualitative purposes to think about. But, what are all of our data inputs and how good are they? And let's start there. And that in of itself can be a proactive process that can really bear fruit going down the line.  

CJ Wolf: That's really helpful. You mentioned that compliance programs are hiring data analysts. Do you find them coming from like a data science background? Are they coming from, you know, because a lot of people in compliance might not have the expertise? I'm not a technical person, right? So, it's like, you asked me to run some report, I'm not really good with that. Do you know what kind of qualifications really help?  

Asha Muldro: Yeah, no, precisely and I think for that same reason, a lot of times you know your compliance department or for folks like me, we're lawyers that purposely went into law, because we are terrible with numbers and the concept could be scary sometimes. So, you know, I like the pretty dashboards, but I can't tell you how to get there. And So, what we're seeing is really getting the qualitative data scientists, the people with that strong data analysis background and they might not have the compliance background at all.  

CJ Wolf: That's right.  

Asha Muldro: That part can be taught, you know, sometimes they're coming over from more of an audit background or finance background, computer scientist, data scientist background and that companies are recruiting specifically for that position, you know not really looking at who can do this amongst us, but who really has the deep data science foundation to be able to really mine this data effectively and deliver it in ways that are easily digestible for the company.  

CJ Wolf: That's really great. If you don't mind, I'm going to pivot a little bit and talk about incentives, you talked about kind of incentivizing compliance. Companies do it everywhere else, right? Sales professionals are incentivized by getting, you know, commissioned, right? All humans are motivated by certain things. It can be financial. It could be altruistic; it could be different things. It could be a mission or statement, but somehow incorporating incentives" so that it becomes a part of our being, right? and not just "Oh, I'm going do my once-a-year compliance training, now, I know compliance!" Well, no compliance in practice, is doing it every day, right?  

Asha Muldro: right. 

CJ Wolf: So, what kind of specific things have you seen or these are like annual reviews? Are they looking at like, Completion rates of training? or like, if there are any specific examples that you can think of, What are people using to measure those incentives into institute incentives? 

Asha Muldro: Yeah, and I think just take a step back. You really hit an important point. A lot of times what I'm seeing is people are really taking a fresh look at their code of conduct and their mission statements and starting there with these are, you know, important core values to us as an institution, and you are expected to uphold these values and then starting there, of course, training to the code etc. Then figuring out how best we embed these core values into the DNA of our company or our institution. So, kind of taking the step back to say, this is really important to us, not an ancillary thing, but really something that's core to our being and as an employee, this is something you're going to be measured against. 

And then measuring it in all ways. I'm seeing a lot more companies start adding questions related to compliance and ethics in their annual performance evaluations, which often affects bonuses or raises or promotions, so you know, the good old tie it, the carrot approach, people want you to perform well in that regard and.   

The fact that it's there they'll inherently start to think about it more as this is part of my job responsibility, this is part of my role as a manager to make sure, you know, I'm instilling these messages. Because so often, I'll come in for a compliance assessment or an investigation, and we'll talk about tone at the top and sure, the CEO can say it, but a lot of times it's the middle managers that really have the most sway on the day-to-day life of their employees.  

So, making that a job performance expectation has been an important way for incentivization, making, like I mentioned, rewards programs. We're seeing more and more of that where you might have, say in your internal newsletter or intranet, you know, employee spotlight, this employee did this great thing by highlighting, "Hey we could improve practices", and this particular area, that has been something that you're seeing so that people want to be rewarded for, "Hey, is there a way that we can make this better? Or, you know, raising concerns", that they know that, "hey, you might be spotlighted and you know, we see the recognition from the highest folks in the company, because you really did a good thing by speaking up here", because so often people are afraid that, "Oh, I don't want to get this person in trouble. Or What if I'm not right?". But just encouraging true speak-up culture and that act in itself will be rewarded is a good thing. But it takes time because I think human nature is really the opposite, that you don't want to say something. So, you can say we have a speak-up culture, but is it really practiced?  

CJ Wolf: Right. 

Asha Muldro: And then, on the flip side, one of the creative things I've seen some companies do is you might anonymize the problem, but you might also equally spotlight "hey, this fact scenario occurred. This is not good. Don't be like Jane. Jane was fired."  

So seeing the opposite, an example often has a really good reverberative effect.  

And you can't report necessarily, performance, you know, HR implications for particular people, so a lot of times, people might not know there was this investigation and that ex-person was fired, but in an anonymized way you could talk about this behavior is not something that we will be tolerated.  

CJ Wolf: One example that comes to mind as you were talking about that was, in healthcare, sometimes you have well-known personalities in a state. Maybe it's a celebrity, maybe it's just somebody that people in the state know. Those people get sick and go to the hospital too. Well, I was at one institution where a well-known state personality was admitted. People were snooping in the medical record to find out why that person was admitted and they weren't directly caring for that individual, so they didn't need to do that.  They leaked that to the press. It became a big issue and the institution publicly said, "these people have been fired because we do not stand for that."  

So, to your point, especially when you're in a big organization, you can't control every employee's every action, so you sometimes need to be prepared to discipline and just like you said, mostly anonymous, make it anonymous, but in this case, it was public and it was in the press and it was causing problems and it's the right thing to do and to say, "Look, this is how we dealt with it" and they said that publicly. That means a lot more than just saying words. The actions spoke much more loudly than the words.  

Asha Muldro: It matters because one of the things I see being across the industry, is that there are certain people within a particular industry, that sometimes the nature of their job is so important, in healthcare, you know, your esteemed doctor, they're going to get fired because of X or Y. Or, at a university this esteemed, globally recognized professor. Or, this hugely productive salesperson at a big company. But a lot of times, you just have to be consistent. Disciplinary has to be, actions need to be consistent and no one is above reproach.  

CJ Wolf: I agree with you.  

Asha Muldro: And I see that a lot in industries, where there are certain categories of people that have historically not been disciplined, because of the nature of their job. That can promote a problem as well, and so that's one of the things that I'm seeing that companies are really just taking, you know, even if you're a top salesperson, even if you're a giant of the industry, you're not above approach.  

CJ Wolf: That's right, that's hard to do!  

Asha Muldro: It's hard. 

CJ Wolf: But it really is where the rubber meets the road, right? I mean, if you have a compliance program that doesn't follow through, let's say on an allegation or discipline, you almost have done yourself more harm, right?  

Asha Muldro: So true.  

CJ Wolf: Cause you've documented no action. We didn't take action, right?  

Asha Muldro: Right.  

CJ Wolf: I think of that movie, Field of Dreams; If you remember it with Kevin Costner. "If you build it, they will come." That was what he, you know, he had to build the baseball field and then the players came. The same thing with a compliance program. If you build it, expect reports, expect allegations.  

You and I have done consulting before where you go in and you ask, "Well, how many hotline calls have you had? Oh, none! that tells us we're doing so good." It actually tells me not so much, because no organization is perfect, you expect reports.  

Asha Muldro:  Yeah, exactly. You want reports. Frankly, you want reports, so that you can fix problems and know about them before they continue to grow faster.  

CJ Wolf: Yeah, absolutely. Well, Asha, we're getting close to the end of our time. I could talk to you all day. Maybe we can have you back as a guest if you're up for it again.  

Asha Muldro: Yeah, I love it.  

CJ Wolf: I want to give you a moment to, you know, Are there any last-minute thoughts or something that you could tell our audience? Again, you've got such great experience with these other companies. Any last-minute thoughts or comments that come to mind?  

Asha Muldro: Well, one thing, and maybe we could talk about it more in another time. 

I am a big proponent of the compliance ambassador concept. Every compliance department is always going to be willfully under-resourced, unfortunately. But with an ambassador program, you can add 50 more people, 100 more people to...  

CJ Wolf: And they're on the front lines.  

Asha Muldro: They are on the front lines. So, I really want to leave which is emphasizing, I know your audience is really compliance leaders in the healthcare industry, but consider how you can employ a compliance ambassador program and that way you could, have false force multiply.  

Asha Muldro: They are on the front lines. So, I really want to leave which is emphasizing, I know your audience is really compliance leaders in the healthcare industry but consider how you can employ a compliance ambassador program and that way you could, have false force multiply.  

CJ Wolf: I love it. And, you know, in my experience with physicians, there are always those physicians who just want nothing to do with us. But every now and then, you can find one or two among their ranks that are like, "No guys, this is important." Those are the people you want to task with being, even if you don't do it formally, you want them to be your deputy, almost right? It's like the police can only be in so many places, but if the whole neighborhood has their eyes open and they're watching, you've kind of deputized others. And I think that's what you're talking about, is this ambassador program finds those individuals, and to find those individuals means you have to be out among the people. You can't just be a compliance officer sitting in your office in the ivory.  

Asha Muldro: Exactly. And that's the thing because you really want people to be able to come and ask their questions. You know, "Hey, can I do this? Hey, is this, okay?" You know, asking beforehand and that way you can, you know, perhaps it might be if with certain controls around it. So just having that information exchange, having people be comfortable that they know where they can go to get answers is important.  

CJ Wolf: Right. Well, thank you so much. Asha for being our guest today and we want to thank all the listeners for listening again. Again, please subscribe if you haven't already so you don't miss future podcasts and we'd love to have you listen again to another episode of Compliance Conversations. Thanks for attending.

Questions or Comments?