CJ Wolf
Share:
Is your compliance program effectiveness review process due for a tune-up?
Join us for a conversation with Larry Plutko and CJ Wolf as they discuss strategies for looking under the hood of your program and preparing your organization for what’s ahead in corporate compliance.
Larry has over 40 years of experience leading and assisting organizations with compliance and ethics program development and implementation. His expertise spans healthcare, higher education, research, privacy, information security, and administrative compliance requirements, as well as organizational ethics.
Tune in to our new episode, “Federal Enforcement Expectations for Compliance Program Effectiveness Reviews,” as Larry and CJ discuss:
- Three key pillars of an effective compliance program
- The evolution of corporate compliance – and where Larry thinks it is headed
- The heightened focus on individual accountability and the implications for compliance officers
Episode Transcript
CJ Wolf: Welcome everybody to another episode of Compliance Conversations. I am CJ Wolf with Healthicity and I am so excited today to have a wonderful colleague and personal friend, Larry Plutko with us. Welcome, Larry!
Larry Plutko: Hello, CJ. Very pleased to be here with you today.
CJ: Yeah, thanks! And Larry's joining us from the Pacific Northwest. How's life up there?
Larry: Well, it's a little colder here in January, but we got our snows in December as yet we haven't had any for January and February.
CJ: Well, very good. Well, Larry, we love to allow our guests to just tell us a little bit about themselves just so that our listeners can kind of get a feel for what you've been doing in your career in compliance, what you're doing today. Anything you want to share in that regard?
Larry: Happy to. Well, I started my education really in the area of philosophy and eventually healthcare ethics, and I got into organized healthcare at Pittsburgh Mercy Health System in Pittsburgh. And from there I was recruited by the Providence health system right here in Seattle, where I became their director of Corporate Ethics. And while there, I got a tap on the shoulder by the CEO asking me if I'd like to be their first compliance officer. And I said, "What is that?"
CJ: Like we all do, right?
Larry: Right! So, I got training. I went off to Medicare and Medicaid boot camp, coding boot camp, and did work with the American Health Lawyers Association. And after that happened, I felt like, "You know, this, this might fit" and our approach to this was really to integrate ethics within the compliance program, so that really appealed to me. From there, I went to Yale and headed up the compliance program for the health institutions at Yale. And then I went down to Austin, where I met you CJ and recruited you from UT MD Anderson Cancer Center, and I became the very first compliance officer for the University of Texas System, which is 15 universities, both academic and Health.
CJ: Right!
Larry: I retired in 2014 and ever since then, I have been doing nonstop compliance consulting and a lot of compliance effectiveness assessments over the years. Some of these with you!
CJ: You that's right!
Larry: So that brings me up to the present point. Go ahead, please.
CJ: Yeah, and I love the word retired. I was trying to do air quotes, but we're on a podcast, so no one can really see, because I know you're working harder than ever.
Larry: That's true. That's true.
CJ: Well, we're so fortunate to have somebody of your caliber with all the years of experience, and just so the listeners know I did work for Larry. He taught me so much and we worked together a little bit now. And anyway, he's a great man. I'm excited to kind of hear your thoughts, Larry. And one of the things that you and I were chatting about in preparation for the podcast kind of the ratcheting up in recent years by the DOJ on the importance of conducting periodic compliance reviews. I know you've worked in higher Ed, but also in healthcare and most of our listeners are in healthcare. How do you think this applies right now? What are you reading? What are you hearing? In regard to this.
Larry: Well, you're quite right. There has been a ratcheting up and starting in 2017 we witnessed an intensification by federal regulators and enforcement agencies on stating what the federal expectations for operating an effective compliance program would be and this includes three things. First of all, you can demonstrate program effectiveness. Secondly, you can measure it. And thirdly, you can assess effectiveness.
So, these expectations are laid out in the 2017 DOJ evaluation of corporate compliance programs. And it's interesting, and CJ, I think you remember this, that the same year HSS, OIG, and the Healthcare Compliance Association got together and developed a resource guide to come up with the very first metrics which could be used to measure effectiveness.
CJ: That's right!
Larry: Then, in 2019, the DOJ issued a revision of the 2017 guidance. And then we have further revisions which occurred in 2020, which results in what I consider a more fulsome document, which has become a milestone for assessing the effectiveness of compliance programs. It really came in with a bang, to say the least. And lastly, we have the articulation by the Department of Justice last year in 2022 of the legal consequences of non-compliance through Deputy Attorney General Ken Polite and also Lisa Monaco. And I'd like to return to that later on in our podcast.
CJ: Yeah, that's that would be great. I think that was a nice kind of overview and you know in healthcare, a lot of us focus, and rightfully so on HSS, OIG guidance. But I'm glad you brought up the importance of this DOJ guidance because they also have things to say about it. Now, not to age you, but you've been in compliance for decades, I don't know, 30, 40 years, but you're as young at heart as I have always known you.
Larry: I haven't fossilized yet, CJ!
CJ: That's right. So, with all those years of experience, is this emphasis on performing these compliance effectiveness reviews, that's new in your mind? or is it a progression of kind of maturing corporate compliance? Any thoughts there?
Larry: Well, let me share some history. The 1980s, I believe are considered the birth of corporate compliance in America, and actually in all sectors. And remember, we have the federal sentencing guidelines coming out of this particular time and they came out really to address the problem of white-collar crime in America and how do we sentence individuals and companies who are committing such crimes or irregularities. Then, in 1993, healthcare fraud for the very first time became a top priority in the DOJ's annual plan.
Then we had Operation Restore Trust in 1995, during Bill Clinton's administration and the Attorney General back then was Janet Reno, and we had June Gibbs Brown as the HHS, OIG. So, I consider this CJ the ear of what I'd like to call early healthcare compliance, things were coming together. And individuals who were newbies in doing this spent a lot of time converting executive management on the importance of taking compliance seriously.
CJ: Right!
Larry: It was more difficult for compliance officers who were not part of the C-Suite, to hold any sway in their organizations, and that's another story for another day.
CJ: No, that's really good. And you mentioned June Gibbs Brown, I think I just read somewhere where she recently passed. Some of the history you shared too reminds me of like, the $100 toilet seats and the $50 screws at the Department of Defense and all that kind of stuff and you've summarized this really well and we're, you know, kind of how we're maturing now. So, any thoughts on kind of the nature of enforcement in those early days, anything you want to say in that?
Larry: Well, between 1998 and 2008, there are 18 compliance program documents that HSG has produced. And I'm quoting from the one from hospitals in 1998; "Many providers and provider organizations have expressed an interest in better protecting their operations from fraud and abuse through the adoption of voluntary compliance programs," so you can see the emphasis at that time was really that these were voluntary programs, but reading underneath the lines, you better get your act together.
CJ: Right. And then did you notice any change in federal enforcement kind of as the years went on?
Larry: Yes, absolutely. I like to consider the middle years of corporate compliance and I think that goes from, let's say 2004 up to about 2014 and there are a lot of actions related to the Anti-kickback Statute and the False Claims Act going on and we see the ballooning of payments and settlements, for example, Pfizer 2.3 billion in 2009, Glaxo Smith Kline's Settlement 3 billion in 2012. I see at that time compliance programs began to step up. And an individual who I had the pleasure of sharing the dais with, Jim Sheehan, established the very first mandatory compliance programs for the New York State Medicaid program during this particular time, and people took note of that.
CJ: That's right!
Larry: Lastly, we had the impact of the Affordable Care Act in 2010 and it made mandatory compliments a requirement for Medicare and Medicaid providers, so that really shifted things in great ways.
CJ: Now that's spot on and though I might not have been involved in those early, early years. I think middle years I was starting to get much more involved and I recall a lot of what you're saying here. So, that kind of brings us to current times and how do you read what seems to be a stronger emphasis on these expectations, as it relates to demonstrating effectiveness of compliance program. How do you read the tea leaves and kind of predict the future a little bit here?
Larry: Yes, echoing back to the beginning of the podcast, when I spoke about the three editions of the program, guidance from the DOJ, 2017, 2019, and 2020.
CJ: Right.
Larry: I believe that these releases by the DOJ have made an impact with management and boards, and give impetus for organizations to conduct full-fledged compliance effectiveness assessments of their programs. Many organizations started to stop and say, "Hey, we really better make sure that we utilize a third party to test our program, and to see if it's reliable," and also to come up with particular metrics to establish the very fact that it's effective. So, I see this really as impacting things in a greater way and it's really, you begin to see also what is considered to be the compliance maturity model, a technique to measure the ability of an organization to use continuous improvement processes in its compliance program.
CJ: Yeah, that's really wonderful. So, are you kind of saying then that this, you know, the 2020 DOJ document is really a milestone in corporate compliance expectations, like it's kind of set the standard?
Larry: Yes, in fact, if I can borrow from Charles Dickens, I think we should call this the age of great federal expectations when it comes to compliance programs and not only in healthcare but across all sectors.
CJ: Right. Yeah, and then also correct me if I'm wrong, but in 2022, we started to witness kind of this notion of, you know, chief compliance officers, certification of their compliance programs. You mentioned earlier the Monaco memo, so that's a little bit more recent, just probably within the last four to five, or six months. How does that impact compliance programs moving forward?
Larry: Yes, that's a very important point, CJ, and no doubt a lot of compliance officers were shaking in their boots when this came out. There was a decision, the Glencore decision, and Assistant Attorney General, Kenneth Polite, on March the 25th of 2022, almost a year ago, came out and referenced the department's intention to include chief compliance officer certifications as part of corporate resolutions going forward. So, when this hit the press, it really shook up a lot of the compliance community. And I've read the Glencore International resolution papers, I think it's 95 and 96 pages, but in the settlement agreement, there are attachments. And its Attachment H, where Glencore, as part of the plea agreement, signed that their program would be certifiable, not only the compliance officer but the CEO of Glencore International. So, that is a huge leap, to say the least.
CJ: That is for sure for those of us who, and kind of like you said, even from the beginning of the story of, like voluntary compliance programs, and now it's like you're certifying. That's very interesting. Larry, this kind of brings us to kind of halfway through our podcast. I'm going to take a short break and we'll continue in a few moments.
Welcome back everybody from the break. I have Larry Plutko as my guest today. We've been talking about kind of the evolution of compliance program, expectations being raised and we're focusing a little bit on DOJ guidance. Larry, let's jump right back into it and see your thoughts on how these milestones changed our approach to compliance program and what kind of conversations do we need to be having with the C-suite and the boards.
Larry: Right! And maybe as a preface to that CJ, I want to indicate that the Monaco memo of Lisa Monaco, which came out in September 15th of 2022, she gave an address at NYU, and she stresses 6 points.
CJ: Okay!
Larry: Number one, the DOJ's top priority, will continue to be individual accountability. Secondly, the DOJ will consider a company's history of prior misconduct when entering into a resolution. Thirdly, the DOJ units will adopt policies to incentivize voluntary disclosure. Fourth, the DOJ will issue new guidance to prosecutors on how they should identify the need for a corporate monitor. Then the fifth one, DOJ will continue to emphasize corporate culture with the emphasis on compensating systems that incentivize compliant behavior. And then lastly, DOJ will ask for $250 million from Congress.
So, with that said, you can see that Lisa Monaco's memo really raises the bar, and following your lead, I think it's very, very important for Chief Compliance Officers and their general counsels to get together and develop a path forward for CEO and executive teams to understand the implications of the new expectations by the Department of Justice for compliance programs. Where are they taking this and how are we to demonstrate that we are running an effective program? From there I think working with boards to reemphasize their role and fiduciary responsibilities is another strategic step. Thirdly, the organization needs to take on a posture of compliance readiness. So that they are ready to demonstrate that their program is truly effective and continuously improving so that things don't become static. The fourth recommendation I recommend is to launch a compliance effectiveness view of one's program, and there are different ways one can proceed with such a review, you know, you can get a third-party person you can use peer reviews, but the point in hand is that documenting the fact that you had a review is extremely important in the eyes of the Department of Justice, if something goes awry.
CJ: Exactly!
Larry: The last point, well, I shouldn't say the next to the last, it's important to remediate any observations and recommendations that result from the compliance effectiveness review. Just don't let them in the inbox and not dealt with. And the last one, one that you and I have been working with companies is to follow up with the compliance risk assessment, a strategic compliance and risk assessment, and making sure that there are compliance work plans with use of metrics, with goals and also an indication of what resources are being utilized by the company. So, these are the things that I think we need to recommend to organizations because I do believe this is a new era of compliance effectiveness. And enforcement, which goes with that, whether you like it or not, they are ready to look at your organization.
CJ: Yeah, exactly. Yeah, I and I really appreciate what you shared kind of in Monaco memo with individual accountability. It's kind of a, a little bit of a reemphasis because remember years ago, the Yates memo from DOJ also talked about that, and I've seen probably just in the last 8 to 10 years just what you said about this kind of focus on individual accountability. You know, in the past we've always seen companies with these large settlement amounts, we're still seeing that. But what I'm noticing and this is somewhat anecdotal, I haven't done a study on it, but I'm seeing that CEOs and individuals are also being held accountable and they're being asked to pay a portion of those fines individually. And so, is that something that you see? Some of the enforcement?
Larry: Yes, and you know Monaco in her memo warns organizations about clawbacks, that's where you incentivize. And when I read that, I thought back two years ago of a dear friend, who's also one of the first pioneers in healthcare compliance, Dan Roach.
CJ: Right!
Larry: Who introduced in his organization, then it was Catholic healthcare, I think it's Dignity Health now, that executives go through the MERIT Program, have their reviews, but they are scored on how they demonstrate effectiveness in their compliance responsibilities. So, I think that really in a way restarts that conversation.
CJ: Yeah, it does.
Larry: If individuals in the C-suite are being judged on how well they handle the budget, that is fiscal metrics, I think corporate compliance metrics must be in hand in hand with that.
CJ: And I know, Larry, that you are doing a lot of these effectiveness reviews now for your clients. And I know we don't have a lot of time, but I don't want you to have to go into great depth. But you know, if there's a listener, somebody wanting will, where would I start? Is this something that takes six months? Is this something that takes two months? What's the process like? Does it involve interviewing? Does it involve auditing? Like, can you just maybe kind of high level what you tend to do when you do these kinds of reviews?
Larry: Yes, the first thing is to establish the scope and we have to right-size it according to the size of the organization. But we like to do is to interview individuals who are involved in administration, who are involved through medical staff, through education, through auditing, have interviews of these particular individuals, because there's information that comes forward. And at the same time, we are utilizing, what I can consider now, the eight elements, foundational elements of the compliance program, we're asking specific questions related to that.
Another part of this would be to actually look at their documents that they have related to policies, what programs they had with regard to education, and so on and so forth. And then begin to dialogue in draft form with the organization on what we see by way of observations and what recommendations we make. So that's the short form. And I have always enjoyed doing those. And have done them for large healthcare organizations, academic medical centers, and also for universities that are rather new at the world of compliance programs. So, that's a bit of encapsulates how I see the process.
CJ: Yeah, that's really helpful. I mean, if I were to restate, correct me if I'm wrong, I mean basically, you're looking at each of those elements of a compliance program, you're not necessarily doing deep audits unless maybe you find an issue that might then be outside of the scope and you might have to, you know, deal with that in another way, but the intent, again, correct me if I'm wrong, the intent is to kind of look at the whole program from a programmatic and structural design and seeing are the parts and bits and pieces functioning well, not necessarily super granular like auditing into each area, right?
Larry: That's right. Well, I believe one of the best descriptions of it is; “Let's lift up the hood,” on your compliance program and look at all of the components that run the engine of compliance, and that's precisely what we do.
CJ: Now that's so good. And as you were saying, the expectations are being raised. You know in the past, it seems like for example, let's just take training, it might just be, "Oh, did you have slides, and did everyone sign the attendance sheet?" Well, that was kind of compliance 1.0 it's it seems now that DOJ in the document you referenced, and from what I can recall, they're asking, "Are you using data? Are you doing data analytics to determine if your training is effective?" So, it's not just, "Did you do training, it's how did you decide what kind of training to do and who to have complete the training?" It just seemed much more mature, compliance 2.0.
Larry: Right. And that feeds into what we've called; "The corporate compliance maturity model," the programs cannot remain static, they have to grow.
CJ: And you, you kind of mentioned a posture of compliance readiness. I think that entails some dynamics, meaning you need to be nimble. So, you probably have some proactive work that you're planning. Of course, there's always going to be reactive work, you know, some unexpected audit or some unexpected issue. So, there's kind of both of those the reactive and also the proactive.
Larry: Right, the readiness really plays into the very fact that the compliance program is really a strategic part of the organization. And if you look upon it as something rather minor or added on, it really fails the purposes of the organization's readiness.
CJ: And that's kind of what I hear you saying with your effectiveness reviews, you're assessing how well is the compliance program integrated into the strategies of the organization as a whole, meaning they should have a seat at the table, they should be there with strategic meetings.
Larry: That's right.
CJ: They shouldn't be an afterthought and on a Friday afternoon at 4:00 o'clock you get a call saying, "Oh, we've been working on this project for nine months. We need you to sign off on it!" And you were never invited to the table to begin with!
Larry: You're most right on that point. And as you mentioned earlier, CJ, in the course of doing the assessments at times we find a particular hot-button issue, and then we recommend to the client that a full-fledged audit be done.
CJ: Right.
Larry: And that's always under attorney-client privilege.
CJ: Well, and that makes a lot of sense. I think some people think that a compliance program expects perfection and it doesn't, right? It's like that movie, the Field of Dreams– if you build it, they will come. If you build a compliance program, you will uncover mistakes and errors, hopefully not too much purposeful fraud. But things happen, and that's human nature. That's the nature of organizations. And so, we all should expect our compliance programs to uncover certain things, right?
Larry: That's right. And I also believe it's a great opportunity to be able to assess the quality of care that's given in an organization, which is obviously a CMS point.
CJ: That's right. Well, Larry, we're coming up to the end of our time. You know, I could talk to you forever. And we do talk forever sometimes on these types of things together! I want to give you kind of a couple of moments though if you have any last-minute thoughts or if is there a question I didn't ask. Also, if people want to reach out to you, is there an e-mail or something that we can also put some of these links in the show notes probably. Any last-minute thoughts and maybe contact information if that's appropriate for you?
Larry: Right. You know, I think the point here of a compliance effectiveness review, it's not an audit, but it's also an opportunity to grow the program. And you know, I think a lot has been done through the years, especially in healthcare related to continuous quality improvement. And that's how I see it. And I could be reached at elplutko@laplutko.com, and if you want any more information or you can write to me there, I'd be happy to talk with you and set up an appointment to do so.
CJ: Thanks, Larry. We can probably put that e-mail address in the show notes too, so people can have access to it. It has been a pleasure speaking with you.
Larry: Well, thank you so much.
CJ: Thank you, Larry, for your expertise, your years of experience, and for sharing that. And thank you all to our listeners for participating today. Just a reminder if you like the episode, please hit the like button, and give it a thumbs up that helps kind of broaden our audience and get the word out, and please if you like these, please share these with colleagues and we can kind of grow the community a little bit and thank you all for listening and until next time be safe and happy compliance.
Questions or Comments?