Compliance Perspectives SCCE

By Adam Turteltaub



Providence is a US-based healthcare system with over 165 years of history behind it. But, the Providence Global Center in India started just in 2020. It was founded as an engineering and operations hub and has a startup culture.



Anitha Vittal, Head, Risk and Compliance, was charged with getting the program off the ground. To get things started she first spent time talking with staff. Happily, she learned that attitudes towards compliance were very positive. While each person may have had a different definition of compliance, there was an eagerness for guidance and, for some, to have others responsible for managing the many legal and regulatory requirements.



After considering how to make the program effective and relevant, she ultimately decided to leverage the start-up culture and position compliance differently. Instead of speaking of it as a control, she positioned it as a way to make each endeavor successful.



This approach includes three key elements:



* Each new hire, as part of their two-day orientation, is given a thirty-minute introduction to the compliance program featuring an engaging story-telling approach

* A compliance champions network

* Encouraging a speak-up culture



In addition, the risk assessment results were characterized in a new way, with each area labeled either “asking for help”, “may need help in the future”, or “no help needed”. Using this nomenclature, she found, was much more successful at providing dimension to risk areas.



Looking to the future, 2023 plans include embedding compliance into the organization’s DNA, exploring opportunities for insourcing resources, and leveraging technology to enhance productivity and bring efficiencies.



Listen in to learn more about what she and Providence are doing.

By Adam Turteltaub



On December 7, 2022 The Speak Out Act became law. Stephen Paskoff, the President and CEO of ELI explains that the law was spurred by the #MeToo movement and the Non-Disclosure Agreements (NDAs) that limited recourse available for victims. It was designed to make it easier for victims to come forward, and for improper behavior to remain hidden.



The new law, limits the ability of employers to include NDAs when it comes to sexual assault and harassment. Specifically, it states: With respect to a sexual assault dispute or sexual harassment dispute, no nondisclosure clause or nondisparagement clause agreed to before the dispute arises shall be judicially enforceable in



instances in which conduct is alleged to have violated Federal, Tribal, or State law.



As a result of the law, compliance teams, no doubt working closely with HR and the general counsel’s office, will need to work to ensure that NDAs for sexual assault and harassment are no longer used internally or even externally with vendors. Existing agreements will need to be reviewed as well.



Organizations will also need to recognize that the balance has shifted, making it easier for employees to air grievances publicly.



To get ahead of this issue, they will need to take several steps that they likely should have already, including stressing standards and the value of respect. Training to prevent the bad behavior in the first place will be even more important, as will be good controls to catch it quickly when it happens.



Listen in to learn more about what The Speak Out Act means for your compliance program.

By Adam Turteltaub



Perhaps the biggest non-Covid change in the corporate landscape over the last few years has been the growth of the Environmental Social and Governance (ESG) movement and its call to measure business on more than P&L statements. While some consider it a passing phase, Stuart Pardau, Associate Professor of Business Law, Professional Practice at Miami Herbert Business School at the University of Miami, thinks it is here to stay.



As proof he points out that BlackRock, Vanguard and State Street, with a combined $20 trillion in assets, have stated their commitment to making investment decisions informed by ESG considerations. He also notes that the SEC has proposed new rules to standardize climate-related disclosures.



On the corporate side, bonuses are increasingly tied to ESG metrics, and annual reports are featuring ever more language on the topic. Organizations are also more willing to take a stand on social issues.



With this revolution, though, has come new risks, he notes. Greenwashing – making marginal or fraudulent environmental claims – has grown to be a serious issue with the potential for reputational damage.



With this and other risks have come new challenges for compliance programs. Compliance teams need to help in the assessment of which ESG risks are greatest for their organization. In addition, they must keep in mind that not all of these risks come from aspiring to be a better organization. Some, whether around environmental, forced labor, or other issues, already have laws behind them.



There is also an internal risk around corporate culture. If there is a gap between the professed values and the everyday actions, the chances of a public and embarrassing failure are great.



Listen in to learn more about where ESG is going and the role of compliance along the way.

By Adam Turteltaub



The Gramm-Leach-Bliley Act (GLBA) is typically referred to in the context of financial institutions. It requires offerers of consumer financial products to explain how they share information and protect sensitive data.



It’s not, however, only banks that fall under GLBA’s umbrella. New rules will affect retailers offering credit terms to their customers, higher education institutions that administer federal student aid and others a well, explains Kayne McGladrey, Field CISO for Hyperproof.



The FTC, has set June 2023 as the deadline for compliance with the revised GLBA Safeguards Rule. It requires that affected organizations:



* Have a qualified individual to implement and enforce an information security plan

* Conduct a periodic cybersecurity risk assessment

* Implement cybersecurity controls to manage those risk

* Document who has access to customer data

* Assess the risks of applications that can access the data

* Securely destroy old data

* Periodically test the controls to verify their effectiveness



In addition, staff needs to be trained, there must be a written incidence response plan and ongoing testing.



It is a considerable commitment, Kayne points out, but since it overlaps with the requirements of the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), many organizations may already have significant structures in place.



Even so, it’s important to conduct a gap analysis, he advises, to ensure all the requirements are being met.



Listen in to learn more about what Gramm-Leach-Bliley now requires for your organization.

By Adam Turteltaub



Last year was an eventful one for the world and the compliance profession. In this podcast, Matt Kelly, Editor and CEO of Radical Compliance, looks back at what he sees as the biggest events, and looks into the future.



The conversation begins with the impact of the war in Ukraine. He observes that the increasing number of sanctions of Russian individuals and entities, as well as the variations from country to country, have forced companies to improve their sanctions compliance efforts. The sanctions have also complicated procurement, forcing organizations to review their suppliers more carefully to avoid sanctions issues.



With the war has also come of host of ethical considerations. Organizations have had to decide what to do with their Russian operations and the people that work at them.



Also on the international front, 2023 brought increased cooperation among prosecutors, with a rising number of anti-corruption enforcement actions combining the resources of prosecutors in multiple countries. ABB, Glencore and Danske Bank are three notable examples.



This activity comes at the same time as Europe continues to lead the world in privacy and data protection requirements.



Looking domestically, he points to statements by Lisa Monaco at the Department of Justice and the push to require certification of the effectiveness of the compliance program by the CEO and chief compliance officer. This could be a dramatic shift for compliance programs.  On the one hand, it could create stronger ties between the CEO and compliance, Matt observes. On the other hand, compliance officers would see greater personal risk, especially given the real likelihood that, despite a strong program, wrongdoing may occur.



Whether certification truly becomes established practice, though, has yet to be seen. Thus far it has only been imposed in the context of recently signed DPAs. As a result, certification will come in three years, if at all. He notes that a change in Administration could see a reversal of the policy.



What does he see in 2023? For one, a need for compliance teams to improve their ability to access and analyze data. The US Department of Justice has made it clear that it expects organizations to have robust compliance data analytics processes.



Second, he sees increased data protection enforcement actions, both abroad and in the US.



Listen in to learn more about what happened and what to expect for your compliance program in the year to come.

By Adam Turteltaub



It’s critical for patients leaving the hospital for a post acute care (PAC) provider that the handoff be conducted well. Some facilities will be better suited to the patients needs than others, which is why the process needs to be handled properly, with discharge planners making recommendations based on patient need, rather than the financial interests of the hospital or PAC.



Unfortunately, explains Beth Kastner, Member, and Shannon DeBra, Senior Counsel, at Epstein Becker & Green, that’s not always the case. Patient steering and charting can take place, with bad outcomes for everyone involved.



While there is no official definition of patient steering, it has been informally defined as the practice of directing patients and/or their caregivers to PAC providers that do not align with the patient’s goals of care and treatment plan. It can also be defined as inappropriately influencing the patient and/or care giver.



Traditionally this occurs when the hospital, or its discharge planner, has been remunerated in some way by the PAC. As recent cases have shown, that could come in the form of gift cards, massages or even a free cruise. It might also be delivered as staffing for the hospital paid for by the PAC.



Whatever the form, it’s improper and could lead to a very large settlement and termination of the Medicare provider agreement.



Patient charting is a scheme in which a PAC is given access to patient data to identify patients for referral to their facility. It’s a practice that holds multiple risks, including anti-kickback and privacy.



So how can a hospital stay ahead of this risk? First, train the staff that remuneration comes in many forms and carries substantial risks. Second, reinforce that discharge planning must be done in the best interest of the patient. Third, watch carefully, including ensuring that all arrangements are in writing and reviewed by legal or compliance before signing.



Listen in to learn more about the issue and the do’s and don’ts of preventing patient steering and charting.