Webinar: Sanction Screening PPE: Protect against Potential Enforcement

August 19, 2022

Transcript for Sanction Screening PPE: Protect against Potential Enforcement

Giovanni Gallo: All right, well, let’s get started. Thank you, everyone, for joining today. We’re so excited to host you for Sanction Screening PPE 2021, Protect Against Potential Enforcement. I’m your host, Giovanni Gallo. I’m so excited to host you today. We’re gonna be talking about sanction screening today. And we have an excellent panel. First of all, let’s meet our host, Matt Kelly. Matt Kelly is the editor of “Radical Compliance,” and the man who needs no introduction, I’m sure you know him from all around his writing, his speaking, and his thought leadership is really second to none in this space. I also want to introduce Deborah Adkins. Deborah is the director of compliance at Hanger Clinic. And we also have Mikki Massey here. Mikki is the privacy officer at Children’s Mercy Hospital in Kansas City, Missouri.

So I wanna go over a couple housekeeping items, and then I’ll hand it over to you, Matt. Wanna, first of all, welcome everyone to the webinar. So glad that you’re joining us. Please note that in your side panel, there is a chat function and an area to ask some questions. We really want this as much as possible to be helpful to you to help provide value for you, and we encourage you to ask those questions. As we’re talking about stuff, we’re gonna be monitoring that to see if we should dig deeper into something. And then we’ll also have some time at the end for Q&A. So, you know, if there are any questions that we don’t get through in the discussion, we’ll loop back to those. So please use that side panel, throw your questions in there, give us your comments, and let’s try to have a dialogue around this.

And the last thing for housekeeping, we do want you to know that we’re gonna be sending around a SHRM credit for this. So if you want credit for your CEUs with SHRM, we’ll be sending that. And then you also have an exclusive ebook coming from no one else than Matt Kelly about sanction screening and a lot of the things that are top of mind as we finish out this year and look to next year. So you’ll be getting that ebook as a follow-up from that. And without further ado, please keep an eye on your chat, throw some questions at us so we can have a dialogue here. And, Matt Kelly, why don’t you take it over.

Matt Kelly: Yeah, sure. Thank you very much, Gio. And hello, everybody, who is joining us today, we’re happy to have you. As he said, we are here to talk about sanctions and exclusion screening. And I’m sure that everybody here knows that is a compliance subject very near and dear to the hearts of health care compliance professionals because that is a big requirement for access to federal health care spending dollars. So we want to talk today about how you would get that done well if you are a compliance officer. It can be a challenging task, it can be a tedious task if you do it manually. It is also a vitally important task.

So we want to talk a bit about what are your strategies for finding the right data to be able to conduct screening? What are the right and wise ways to understand how you would actually get the screening itself done? What is it that you want to do with your staff? What is it that you might try to automate with good technology? What might you want to outsource if that is something that’s feasible? And we also want to talk about how sanctions screening can feed into a larger compliance program that has several other priorities that you want to get at.

What happens if you are getting some sort of rumors about misconduct over your internal compliance hotline? And how would you be able to maybe use sanction screening to chase down rumors that way? How would you account for your training or policies and procedures to let employees and vendors and business partners know sanction screening is something we do? And how can a good compliance program tie all of these things together so that it works, so that your board doesn’t mind the budget that you need for it and will actually give it to you and so that you and your staff do not get crazy with work in minutiae that might leave you pulling your hair out? How can you get all of that done? That’s what we’re looking to try and cover here today.

As Gio said, we are eager for questions. So if you have them, please submit them. We will try to set aside some formal time at the end of the hour for questions, but if you ask an especially good one and it pops up on our screen, we may well just drop a question in on the fly. And I see actually we have one more speaker who is here. So, as Gio had already said, Deborah Adkins and Mikki Massey are here, and then Debora Murray. Debora, are you out there?

Debora Murray: Yep, I’m here. Sorry, I’m late.

Matt: All right. Well, you…

Giovanni: No, that’s all right. You’re really just in time. We were just getting going.

Matt: Here in the nick of time. And for those who are just listening now, Debora Murray is chief compliance officer at the Henry Ford Medical Center in Detroit. So, between the three speakers that we have and Gio, we’ve got a great group who can talk to us about sanctions and exclusion screening. I would just like somebody, and maybe, Deborah Adkins, I’ll ask you if maybe you could take point on this, for the novice healthcare compliance person who is on this call, can you just walk us through at a very basic level what is the sanction and exclusion process? What are we trying to do here? Why is this important to get right? Mikki and Debora Murray, I will also then ask you like, what are your observations about what are the hard parts of getting this done well? But, Deborah Adkins, if you could just give us a lay of the land here, what’s the short form for what are we talking about?

Deborah Adkins: Well, in its simplest form, it is a reg, a regulation that says no federal benefit payment may be made for an item or a service, furnished, prescribed, or ordered by an individual or entity that is excluded or sanctioned. So that incorporates all of your federal dollars, namely, Medicare, Medicaid, and your other dollars as well. While ordered and prescribed is pretty straightforward, the furnish is a much broader category, and it goes beyond direct patient care. So transportation drivers, administrative staff, accounting staff, your CEO, your board of directors. So it’s a broad group. And in order to ensure that you are not furnishing any of these items, you must check the list to find out which individuals and which entities are excluded. So I think that’s kind of it in a nutshell.

Matt: And the list, the master list, comes from Department of Health and Human Services, the Office of Inspector General?

Deborah: No, IG.

Matt: Okay. So let me maybe ask Mikki first and then Debora Murray second. If that is what we’re trying to do, how hard could that be, right? What in your experience, Mikki and then Debora Murray, what in your experience do you find to be the big challenging thing that a compliance function needs to get right?

Mikki Massey: Well, we did it manually for a long time. And there is a lot of challenges that went along with that. The challenges of these databases are all differently formatted, and so to bring them all together, not all of them have complete information. So you may have very similar names, and maybe not a date of birth on this one, but a date of birth on this one, just being able to match those up and having an accurate findings is really the most difficult part.

Also, from an internal perspective, you have to really look at what your data is. Is it complete? Like, when you pull your vendor master, does it have the addresses? Is it current, or was that five years ago? Have they changed names? Have they merged with someone? All of those changes. So your data has gotta be clean, just like your employee data and your medical staff data have to be clean. Because the cleaner it is, the better the process goes.

Matt: And Debora Murray, what’s your experience here and what has to happen well? What is challenging to do? What have you lived through?

Debora: Well, I guess, I agree with everything Mikki just said, and I would add two things. One is I think you have to have the right vendor helping you work on this process. I think in my experience working with another vendor, it was not the same as working with ComplianceLine, but won’t go into that. But I think ComplianceLine has the right…you have to have the right algorithm because we’re talking about same name matches here and millions of people. So there has to be a level of wisdom with a vendor in terms of an algorithm that works correctly so that we’re not getting hundreds of same name matches, and I think ComplianceLine does that well.

The other piece is the one Mikki mentioned about, you know, we have these different populations that we screen in our…you know, that come through various departments in our health systems. So we have our physician database which comes through a credentialing department, we have our employees database that comes through the HR department, we have our vendor list which comes from supply chain, and we have our volunteers that come from another person in the hospitals and board members who are governance departments. So, really, these populations require a lot of working with different key people in these departments every month. And as we know, you know, employees change over, and this is kind of a unique kind of niche kind of area that someone has to be trained in specifically.

But I would say with regard to these populations, the one we find most challenging is the vendors, the contractors, and vendors. And we also find that CMS and other health insurance companies that audit us regularly tend to hone in on the vendors and contractor piece because that’s where your excluded providers may reside quite often because they’re floating, they’re going from state to state, they’re, you know… So they do tend to, when they audit us, pick, you know, 20 names, and 15 of them will typically be contractors or vendors. So it is particularly challenging to make sure that someone’s job and supply chain to make sure we have a clean list of our current vendors.

Matt: Deborah Adkins, I wanted to give you a chance too if there’s any particular points that you think are most painful for compliance officers to get right or most challenging. And then Gio, if you have any general observations, I’d love to hear those too. But Deborah Adkins, what’s your perspective?

Deborah: Well, I definitely agree with Debora Murray on your data being accurate and correct. And if you’re in an organization that’s anything like mine, these different sources internally, these different departments don’t always keep data the same way. So it’s a bit of reformatting when you get it and making sure that you are screening your appropriate populations. So, you know, are you screening a vendor that you haven’t done business with in 10 years and you spent $75 10 years ago? You know, is that list clean and current? I think, you know, that’s really important to make sure that that data is in a format that you can use. And I echo Debora’s sentiments again about having a vendor to help you with this.

Mikki, I can’t even imagine doing this manually. The sheer number of primary sources out there to gather and to be able to cross-references is kind of mind-blowing. So I think it’s a great partnership between you and the vendor to, you know, hone your process and figure out what works for you in order to be able to have a successful program and to keep the workload on your part down because it needs to be very tedious in the matching and the research that needs to be done.

Giovanni: Yeah…

Matt: Gio, what have you seen?

Giovanni: I mean, I think that there’s a lot of complexity in this. And I think that it can be deceiving at times because you think, “Okay, well, I just have a bunch of names, and I got a bunch of other names, and I gotta see if they match.” And, like, there’s so much more that goes into this. And I think it really breaks down to two things, like what do you do and then what do you do with the results? So what do you do with all the data? And you gotta get it from all the different places, and you gotta pick which list you’re searching and all of that. And then a lot of it kind of comes on what do you do with the results, right? And I think that’s where that partnership, whether it’s with your vendor, or the settings in your system, or your team, there has to be some intelligent consideration of, “Well, how deep are we looking into this? Are we gonna look for every potential match with a name or only the exact match if we find it?”

We know that exact match is not good enough because, you know, you might have a middle name and a middle initial or something like that. But then, you know, what do you do with all the complexity of what comes back? And I think a lot of people trip up on this is they either make their filter too tight, and they don’t see all those potential matches, or they make it too wide and then they just get buried reviewing a bunch of, you know, screen after screen of this stuff. So, you know, as simple as it can seem on the front end, as you dig into it and you have all these different sources of data coming from your team, and then you’re trying to match that with all these lists, there’s a lot of complexity in it. And, you know, when you get it right, it’s nice to really have it tight, but it takes some effort to get there.

Matt: You know, I wanted to ask a couple of questions about where the screening lists come from. And I was struck by how all three of our panelists said is just as much of a problem getting your own internal data. And I wanna get to how you do that well. I’ll get to that in a few minutes. But right now, I was just wondering if we could talk a little about how do you decide what master lists to use out there to screen against. We have that HHS LEIE master list, but if there are other databases out there that are commercially available or downloadable for free for whatever they might be worth, where do you all go look for those lists? If you look for more than one, how do you try and evaluate them or decide which ones are best to use? Maybe, Debora Murray, I’ll ask you first and then Mikki and Deborah Adkins. But, like, what’s your lay of the land? How do you survey the external databases you wanna use for screening?

Debora: You mean, how do I do it if I get a request for an individual screen or?

Matt: Like, do only rely on the LEIE master list from Health and Human Services, or do others come by and say, “Hey, I got a great list for you to use here,” you know, how do you figure out where you should go for that?

Debora: Well, we get requests frequently to screen against the Michigan. It’s called Michigan Medicaid Sanctions list. So I have a contact person in Lansing, that’s our state capital, who I call and she helps me. She screens out names upon request. That’s also a list I can access on the database for the state. But she can assist me in a direct way using date of birth and social security and that kind of thing. But in terms of what drives the other agencies that we use, I mean, the government OIG requires the LEIE only, I believe, but we still…you use screen against SAM, right? The System for Award Management database?

Giovanni: Yeah, we usually scan that as a standard.

Debora: And that’s always been problematic for same name matches because, you know, they don’t always offer the opportunity to rule out by date of birth. And of course, the SAM is, of course, an umbrella term for hundreds of federal agencies, including, you know, FEMA, and, you know, every agency under the sun, the armed forces, and so forth. So even though we’re not required, we do still screen against that, and I believe OFAC. And we need to talk more about the FDA, I believe it is, because of our research arm. I’m not sure if we screen against them. I don’t think we do yet. But we have a list of agency websites with hyperlinks that we share with our team so that in the event we need to do our own screening or assist our contact person at ComplianceLine to rollout someone, that we can go in and actually work with your staff to conduct that as needed.

Matt: Okay, Mikki, how have you tried to work this with so many different agency lists floating around out there that you’ll have to use some, you might use others, but how do you decide which ones you want to actually use?

Mikki: Well, I think there’s a couple of ways…

Giovanni: And, Mikki, is it worth talking about how you did it before when it was manual, and if that’s different now that you have a platform for it?

Mikki: Oh, very different. We were not able for capacity-wise to do as much when we were manual. It just was not feasible. Like OFAC is so…the data is so confusing. You just can’t tell when you’re trying to do that manually. What we’ve looked at is we look, of course, at the federal and the state regulations. We also look at what payers are requiring and what are credentialing because we do delegated credentialing. We do do research as well. And so we do request to research FDA and those kinds of things as well to make sure that we’re hitting all of that on our screens.

Matt: And then, Deborah Adkins, what do you do?

Deborah: Well, we are national. So I think we operate in about 47 states. So it’s a little bit different than being in one state. So, in addition, of course, to your federal databases, you know, the LEIE, the SAM, TRICARE, the Public Health Service, because those are all federal benefit dollars, we also check all of the state Medicaid site. Not every state has a published day-to-day checks. So you have to constantly monitor when one comes online to ensure if you’re doing it manually, that you’re picking it up, or your vendor usually is a good partner and they scoop up, you know, the new databases may come on, and then they add them to your screening. For that reason and the complexities, I always suggest we meet with them, our legal counsel, and have them go over the list, and we do an annual kind of review.

You know, these are the lists we’re screening, are these still what we should be screening? Do we need to add any? Because sometimes we would be screening and find out it didn’t apply to us. The FDA list for a while, and I don’t really care if you got banked in a clinical trial because you’re not…you know, that doesn’t affect my payer mix. So it really depends on your business model, I think, and your payer mix and what you’re being asked to do. So, for us, we have referring providers. And I know Debora Murray said her pain point was vendors. My pain point is referring providers, not so much my staff, or vendors, but the referring providers that I furnish a device based upon their order of prescription. So, again, I think it’s somewhat unique to every business and how it would work.

Matt: It’s interesting, it really sounds like all three of you are describing, you have to do a risk assessment, frankly, like you would for any other risk about where are big lines of business? What are the regulations that apply there? And then from there, we’ll reverse engineer here the databases that we have to look at. Gio, tell me how you’ve seen some people try to solve some of those because it sounds like there’s just a truckload of databases that people would have to screen against. Before I would research this very closely, I had figured the OIG master list would solve a lot of problems. It sounds like there’s many more problems than that. But what have you seen people grappling with and the challenges they’re facing, and how are they trying to solve it well?

Giovanni: Yeah, so I think there are a few tiers to it. So I think at a base, you should be searching these master national lists, right? You should be searching OIG, SAM System for Award Management, stuff like that. But then you very quickly realize that you have an obligation to make sure that nobody who’s excluded on any list is employed with or working with your organization. So when you realize that your obligation is if they’re on the list anywhere, they need to not be working with you, then you have to start looking at, “Okay, well, I got the top four, and then there are 100, 200, 400 of the list that I could check.” Then you have to start doing that risk assessment and saying, “All right, well, where should I be involved?”

If you’re only doing business in Vermont, you probably don’t need to be checking the Alaska and the Oregon Medicaid list. But, you know, based on where you are, if there are adjacent states, if there are places where you may have recruited a doctor or physician from another state where they might have been excluded, you have to be checking those. So we generally go through with a new client, and this is part of, you know, our standard approach of, “Hey, let’s help you get this done well.” If you check everything, you’re gonna be reviewing too many searches, and we all have time that we could be spending on other risk management things. So you don’t wanna overload yourself with just doing everything.

But you wanna have a thoughtful approach that says, “Okay, should we be checking these Medicaid lists? Should we be checking, you know, these FDA or these specific verticals?” And then usually, you get to some balance that says, “Okay, here’s where I have to check, here’s where I probably have some likely matches. Maybe I wanna go another tier around that, or maybe I don’t,” and then you kind of get a decent set. And then I think if you have a good partner, which we certainly try to be, then that partner should be coming up to you, you know, periodically and saying, “Hey, we just added this new list. This state wasn’t publishing a list six months ago, they are now, do you wanna add it to your consideration.” And I think when you do that, you get a good baseline, and then you can tweak it from there because I don’t think…you know, I think we’ve all seen that you can’t just kind of set something and forget it for three years and plan on it kind of still being relevant.

Matt: Let me shift gears then back to the internal processes and the data that a company has to pull together because I was struck by how all three of our panelists here said that that is a big challenge, you’ve got different departments giving you different formats of data, maybe with different frequency, or different enthusiasm and attention to detail, I’ll put it that way. But how do you try and govern that to make sure that everybody is listening to the compliance program, which can be a big assumption at some companies, and what is it that you are telling them, or what processes do you have in place to make sure you’re getting the right intel from HR, or the volunteer coordinator, or procurement if you’re looking at vendors or anything else? But how do you try to stay on top of that and put some governance around it? Deborah Adkins, let me ask you, and then Mikki, and then Debora Murray, but what’s it like on the inside?

Deborah: Every day is a challenge. We try and work closely with our teams and designing the data that we need. Of course, leveraging IT to automate as much of the data gathering as possible, you know, so the first of the month, we’re gonna auto-generate this report for you. We’re also trying to make sure that we have good data in our onboarding with employees and with our vendor setup, so asking the right questions on that process to ensure that we get the right data to be able to do the screening. We also somewhat outsource internally to our HR department and our finance department to do the screening at the beginning of hire and at new vendor setup themselves. So they are responsible for that initial screen. For employees, that’s part of the background screen, and then with vendors, it’s part of setting them up in the system. So, compliance, we do an audit once a year to make sure that those departments are doing that correctly and gathering that data.

Matt: I was about to ask how you make sure that they are swimming in the right direction. So it’s an annual audit and a lot of explaining the importance of this?

Deborah: Exactly. So we’re checking up on them, and we’ve been fortunate, they’re pretty long-tenured employees, they kind of know. And they always…if they get any type of potential match that they’re not, you know, 100% confident that they can rule in or rule out, we are their partner. They come directly to compliance with it, and we kind of take over from there. So they’re not, you know, making those decisions alone. They’re just really doing the screening and then turning the results over to us.

Matt: Sure. Mikki, how are you trying to solve this? And I’d especially be interested to know how were you trying to solve it in the old days of doing this manually and how is it working now?

Mikki: The old days, we did not have some controls in place, and it was kind of…and this has been years ago. It was very difficult. I did not have a way of checking who was doing what. And so that’s one of the things that the vendor brought together is that we’re all on the same page, we’re all using the same platform, and it’s working well. And then I can always go back and see what they’re doing through the vendor site, which is very, very helpful.

But just like Deborah said, we have some things in place. Like before a contract, as part of the contracting process, they have to run a check. Before we engage a vendor, before we actually put them in our system, we have to ensure that they’ve been checked. New employees are checked by HR. And then because we do a monthly, let’s say we had a fail, somehow we had a fail within those other systems that we have, we’re gonna catch that on the first month. So, by doing it monthly, the worst scenario we would have is that we’d have somebody for a month that really shouldn’t have been part of our…we shouldn’t have been doing business with.

Matt: And Debora Murray, what does it look like with the Henry Ford Clinic?

Debora: So I would say two things. One is education. Since I work with our HR similar to what Deb Adkins shared about the outsourcing of our pre-hire screening, so we do the same thing. Our HR department is responsible for onboarding, so, you know, doing pre-screen, exclusion screening, criminal background checks, all that. And then we compliance monitors monthly going forward and using PeopleSoft, you know, list. And so I have key people in those five areas I mentioned earlier, those five very different departments, and I go in front of their teams, most of their teams, annually, at least, or sometimes more than once a year. And I have a presentation I do that educates them about the importance of compliance, why we must be compliant, who’s auditing us, and so forth.

So I find that helps when people understand the importance of this process. And I use examples, real examples of people we’ve hired that we’ve had to fire, or, you know, that kind of thing because we didn’t do appropriate screening. The education really goes a long way in helping people comply. And then beyond that, I don’t audit. Our department doesn’t have separate audits necessarily because we have enough third-party audits that we undergo each year. Just finished one with Aetna two weeks ago. And they’re all asking for proof.

They will randomly select 20 vendors, physicians, and so forth, and say, “Show us the documentation, pre-screening, you know, pre-hire, and for the months of April, May, and June 2019,” you know. So we get enough audits, so I know, you know, whether our process is working. The same goes for compliance education. They want us to show did they complete their compliance education before hire and before they started working and then annually after that?

Matt: It’s striking that so much of this success here seems to be, can you get in front of the actual human beings to explain to them the importance of why we’re doing this and doing it well and embedding your compliance processes that need to happen into their operations. And we could talk about any compliance issue, including those far removed from the health care sector, and still, it’s this to really get the success of a compliance function up and running.

Debora: Yes, we are relationship-building business, that’s for sure. And the other I wanted to also mention we use online OMT, we use online management system for tracking. It’s a tracking system. Anybody can buy it. We use that for a big portion of our population in terms of we…Pam Gray who’s…I think she’s on the call. I work with Pam. She makes sure that each month she enters into our OMT system that we’ve received completed list from ComplianceLine for this category, governance, you know, board members, in other words, volunteers, and physicians, employees, and so forth. So we also track that. We use an external system to track and monitor.

Matt: And let me ask, is everybody here doing screening? How often are you doing it? Are you doing it monthly, or do you do it less than monthly? I know some entities out there think annual is fine, but is everybody here doing this about once a month? Mikki, you said you were?

Mikki: Yes.

Debora: Yes, monthly.

Matt: Gio, what do you see clients out there or just companies generally, what do you see them trying to do, or how many businesses out there do you think are still doing this annually because, I don’t know, for whatever reason, they think it’s not necessary?

Giovanni: Yeah, I think a lot of people are still doing it annually. I think some people have stepped into that monthly piece, and then they’ve kind of gotten busted by it because they realize how much work it is and then they step back. But, you know, really, I think maybe five years ago, a medium-sized provider could get away with doing it annually and, you know, you weren’t gonna get enforcement against it. I think the attitude with sanction screening these days is you should definitely be doing it more than annually. If you can only do it quarterly, that’s fine. I think that if you get it set up right, if you have a good vendor that partners with you, you should be able to do it monthly and/or on an ongoing basis. And that ongoing basis is the mix of, “Let’s kind of sweep everyone monthly, and then let’s do, you know, people who get hired or people who change their category or something, let’s do those one-offs.” So I think that that’s the best practice.

And unfortunately, you know, I guess for better or worse, with the sanction screening, you know, it’s kind of like HIPAA, right? Like, you can run afoul of it, and you can be wrong, but you can ever kind of really be sure you’re right. You just have to always make sure that you’re doing enough to show, you know, that you’re trying to catch people because, you know, ultimately, a lot of times like you do miss one, maybe that’s something that we can talk about. Like, you’re gonna find one occasionally that, “Hey, this person has been with us for two days, or two weeks, or whatever, and we just found this exclusion, it just got updated to the list or whatever.” That might be something that we talk about that. You know, you have to build this so that you plan that you’re gonna find something and have to clean it up. You can’t act like, “Hey, I’m just probably gonna go for a year and everything is gonna be fine.”

Matt: You know, interesting to talk about what you could get away with for screening and frequency. And, Debora Murray, I think it was you, you were saying that you’ve got your third parties and your customers leaning on you to demonstrate and show the documentation and the audits that you have this in order. And I hear that a lot also in the anti-bribery world with overseas corruption that a lot of companies, the more they can demonstrate they have this taken care of, the better a vendor they look like to their own customers. Because really, your vendors are your customer’s fourth parties. Your customers have no idea what fourth-party risk is. So the more you can demonstrate this, the better off you are as somebody able to court your customers. And that’s been true in anti-corruption, it certainly seems true here.

But, Gio, you had brought up a good point and maybe I could ask the panelists here, how often do you actually find an error or a failure, or what is it that slipped through for 28 days or two days or whatever that you find somebody that turns up a screening hit and you have an issue? Like, how often does that happen? Mikki, I’ll ask you since you had, I think, mentioned that earlier. But Mikki, and then Deborah Adkins, and then Debora Murray, like, what comes up for a non-compliant event?

Mikki: We have only had a couple of what I would call matches that we had to run… And in those, we actually found that someone did have something, but it had since been…they had corrected it. And so they were okay at that point. But that’s the beauty of a system, is it’ll go back, and it’ll tell you this happened before, and this was a pharmacist. So, you know, we’re very concerned about what is that person doing now that they could repeat history again. So, looking at those kinds of things.

Also, as we get them, you know, we will run to ground the individual, try to find out more, you know, what’s the middle name? Where have they lived before? And really delve into who is this person? And what is the actual sanction? What did they do? How does that apply to their job? You know, were they a physician before and now they’re working as an aid, but they’re not doing billing and their issue was billing? So, looking at all of those kinds of things.

Giovanni: That’s a lot of that kind of messy middle, you know, I was saying that there’s the complexity and what you do and what you search. But then that stuff that Mikki was brought up of, you know, someone might be on this list, but that’s an old one, and then they’re not on this one because, you know, it’s been adjudicated, or it’s been fixed since then, that’s a lot of that follow-up that, you know, we try to help our teams with when we do our full service sanctioned screening, where we’re gonna run to ground as much as possible for you so that your team has as little as possible to review and actually make a decision on. But that’s a lot of that mess that Mikki was bringing up that, you know, it can be on one list and not somewhere else, and then you have to compare it, look by date of birth, and all that stuff. That’s where I think a lot of this work comes in because when you find one of those, it might be 1 in 1,000, or 1 in 10,000 that really gets messy, but that’s where a lot of your risk is. You gotta make sure that those items you find, however infrequent, you run the ground properly.

Matt: Deborah Adkins, maybe could you talk a little bit about this, too? You know, what do you do with it? And how do you make sure your investigations protocols and whatnot are equipped to be able to run it down like Gio said. But, you know, how do you handle the matches on the screening?

Deborah: And it’s really with maturity I think and expertise because when you first start doing this, it’s totally overwhelming. And I’ll tell you a funny story about the nuances of this. In a distant land long ago and far away, there was an excluded employee who knew that they had been previously excluded and thought that they were no longer excluded. And they were employed for a good while before it was caught, because in the upload of the data, the last name and first name fields were switched. So the algorithm never ever picked them up as a possible match. And so, you know, this all came to life and it was actually that person, and we found out, and then they said, “But I thought I was, you know, reinstated,” and they weren’t. So, you know, that’s a huge issue to go back and extrapolate how many federal dollars they might have had with an impact based on how many years they had worked. So, that’s a funny story, just about the nuances within this.

And then I had one one time, it was a name match, and it was very close. And so I called the excluding agency…and this was back in the day when you would give the social over the phone, you know, and they would say yes or no. And I read all the social and she said, “Read it again.” I read it again and she said, “It’s off by one digit.” Same name, same city, state, off by one digit. Keypunch on the government, you know, they keypunch on their part. So you would have never known that without really digging in and doing, you know, some more investigative research. Because today, you enter the social security number on, you know, the LEIE, and it comes back, no match. And you say, “Okay, well it didn’t match.” And it didn’t match because there were that many digits.

I mean, we go all over the place, there’s, you know, additional websites that you use, licensing boards in the states are always good with taxonomy as the dock. And to Mikki’s point, sometimes, for vendors, especially, does the service or item may provide, is it in that stream of furnishing that HHS considers? You know, do you buy paper towels from them? You know, do you buy plaster supplies? So, again, we work closely with legal counsel once we have a positive match to determine if it’s really applicable to the exclusion list.

Matt: Okay, and, Debora Murray, tell us your experience with matches and how you decide to sort them out, what’s that like?

Debora: I would say, you know, we had a one-off situation a couple years ago where we had a homecare therapist, same name, same date of birth, exact match, we thought. And he actually ended up getting a lawyer. He swore it was not him. And we worked…actually, I work with a woman at the OIG who has presented at HCCA conferences in the past. And she called, we talked on the phone, and she researched it and found that it was not the same person, even though it was the same name, same date of birth. And I don’t remember what the issue was with the social number, might have had the same social number. I can’t remember. But anyway, I asked her to send it to me in writing. So we ended up keeping this employee, but it was just a fluke in that situation.

But I would say more…we have, you know, had audits where we missed a name and a given month that wasn’t screened. And we’ve, you know, over the years been able to fix those types of issues. I think our one problematic area has been recently with our staffing vendors who I do tend to hone in on with the vendor population because they’re placing people who are touching our patients. I do frequent audits with them. And they…even though our staffing vendors, even our largest one, which is a national firm, they attest to us that they do the initial exclusion screening. Sometimes their standards aren’t the same as ours, our policy standards for screening in terms of what they’re going to rule out. And they placed a nurse who had been under disciplinary suspension like five years ago in a different state. And it wasn’t clear that she had been reinstated or it had been resolved, but she did have a current nursing license. So they said, “Well, she has a license, so we assume.” So, sometimes the standards can be different with your vendor companies if you have, you know, a screening arrangement with them, I have found that. And then as I said earlier, GSA matches can be difficult to rule out as well.

Matt: How would you get to harmonize your policies and intentions with those, say the staffing vendors? I think that’s a great example. But how would you make sure that they are performing up to your desires and specifications?

Debora: Well, we have a written agreement with that staffing vendor. So I went to that, and I worked with one of our attorneys who was a close colleague of mine, and we provided some wording revision to the agreement, and they agreed to it. And that got put in place just a few months ago. So, yeah, no, they agree with whatever we say the standards are because they assume we’re the experts, they’re not. I mean, these companies, they have compliance programs, but, you know, they’re not at the level of our compliance program. And we’re their customer, so I assume that’s why they would wanna respond.

Matt: Gio, let me put a question to you about the technology and what it can do because I’m hearing an awful lot of stories about matches that turn out to be they’re just off by a digit, or the names are transposed, or whatnot. And I have heard, especially from the Justice Department, and especially from OFAC more on import exports compliance and sanctions and screenings. But both of them are basically saying, “You really need to be up on your data and your analytics that you get even a partial name match.” Because if your reply is gonna be, “We only did full names and so we missed it,” like, they’re not gonna buy it.

They’ve been very clear that they want to see compliance programs have pretty sophisticated data analytics. The Justice Department has flat out said they use data analytics and their IT capability stink compared to the private sector. So they can do it, they certainly expect you to do it. So they get a lot of messaging around good technology. Talk to me about like, okay, so what can actually be done here?

Giovanni: Yeah, it’s a really big issue. And it’s a big issue because the risk is ultimately on you, the provider, to make sure that you do this right, right? Like, if someone does something wrong, you need to make sure that that person doesn’t provide care. The data, and a partial name, and the date of birth being transposed, all of that may get you some defense for a settlement into regulatory action. But ultimately…like, there are two layers to the risk here. There’s the regulatory action risk, you get a fine, and there’s also the patient risk that, like, someone doesn’t provide good care, they shouldn’t be providing care, and you let them. So, for both of those, you need this technology to really figure it out because the data is messy. We know the data are messy when they come in from your team, and when you’re getting it from, you know, 2 dozen or 200 different lists.

So our philosophy with dealing with that is, listen, there are layers to this, right? If you look at it on an exact name match basis and you find a match, well, then you definitely know it is a match. But if you don’t find an exact match, you have to go to the next level and the next level. And what we do in our software at sanction check is we have various layers that we’ll put something through as you do an exact check. If you can find it, that’s great. If not, you move into, okay, well, what kind of fuzzy name matching logic do you have? Like, is John and Jonathan good enough to show up and say, “Hey, I wanna look at that?” Or is the, you know, middle initial D compared to middle name, Deborah? Like, do you wanna see that as well? So there are all these layers that you can go through to say, “Okay, you know what? This is really important. I don’t wanna miss it once, I wanna do the work to make sure it’s right.”

And then what we do is we have kind of a throttle on our search algorithm where we can say, “All right, we wanna see a bunch of names, we wanna see all the fuzzy matches, and we really wanna get down to everything.” Sometimes that’s too much and it’s really unreasonable, so we’ll take it in a little bit. But if you’re just starting with exact name matches, and you say, “Only if this says Jonathan D. Smith, and this date of birth, only if it’s exactly that in the database, am I gonna count it as something that I need to look at,” you’re missing a lot of stuff, and you’re just…you know, it’s kind of like driving without insurance. You’re hoping that you just don’t get into a wreck and you don’t…you know, in this case, someone gets found out, and then you have regulatory action against you.

If you wanna stay on top of this for both the regulatory risk and your patient risk, you gotta do beyond that exact name match. And when you start doing it, like Mikki was saying, once you start doing that, if you don’t have technology to do it, you’re gonna be buried, you’re gonna be underwater, and your eyes are gonna be glazed over. So, you gotta kind of get some balance here. And that’s something that we really work with with all of our service clients on is, “How much of this do you wanna see? Do you wanna see every name? Do you wanna get 10,000 names a month? Maybe that’s too many, how about 200? Let’s narrow it in and kind of get you the right level of accuracy to really manage your risk.” As with all of this, it’s a risk management discussion, not just a check the box, okay, I did a search and nothing came up discussion.

Matt: Let me just ask one more question of our panelists before we get to some audience questions. We do have some. And if anybody listening has others, now is a good time to submit them. But I was just curious, how do you use the fact that screening exists as part of your bigger ethics and compliance program? Like, for example, do you weave it into new employee training, or ongoing training, or discussions with vendors?

You know, we’re gonna be screening once a month. So if you commit misconduct in the next 28 days, you know, we’ll find out about it by day 29. I mean, do you do messages like that or somehow otherwise try and put the capability of screening to a bigger and better use, if that makes sense? I don’t know. Deborah Adkins, and then Mikki, and Debora Murray. Like, what do you try and do with screening to help the rest of the compliance program?

Deborah: We do try to educate all of the different factions because, you know, as Gio said earlier, it’s a complex process, and there are a lot of nuances to it. And so we want the employees to understand what it is, what sort of things happen that put someone on the list. I constantly struggle with having my admin folks out in the field understand that just because your NPI is active and your PECOS enrolled, that doesn’t mean that you cannot also be excluded. So there’s a lot of misunderstanding.

So we do departmental-type meetings, where, you know, compliance will have a topic every time they have one, and we on the compliance team rotate what we wanna talk about there. So we do that. In onboarding, we talk about it, and we also educate and ask the employees they sign off on self-reporting. So, to your point, Matt, if you become excluded in the next 28 days, the onus is on you to let us know. Of course, we’re going to find out as well.

We do the same thing with our vendors that we ask them to self-disclose, and they also attest that at that time, you know, they don’t have any active exclusions or whatnot. But I think it’s kind of a continual process because, you know, you have new folks coming on and everything, but we talk about it. We always talk about it in the realm of compliance and that it’s important and why it’s important, because, you know, number one, you always wanna do the right thing. Number two, to Gio’s point, you wanna make sure that your patients are receiving the best care possible. You don’t wanna give back any of that harder reimbursement money that you received, and you certainly don’t wanna come into civil monetary penalties. So, you know, there’s a lot of facets to it. And somebody said earlier, you know, you get more buy-in if people understand it. It’s not just one of those index, she must do that, and they don’t have any clue what it is or why. So we try to talk about the details and the why.

Matt: Okay, Mikki, what do you do at your organization?

Mikki: We’re not as robust as Deborah is. Most of…

Deborah: It’s taken a long time, Mikki. It’s taken a long time.

Mikki: Most all of ours has been on the vendor side and letting the vendors know, first starting with contracts that, you know, this is our expectation, and we’re gonna audit you, and so forth. We also have engaged a vendor management system that we don’t have fully operational yet, and they do a piece of that as well. So that’s part of our education.

Matt: All right. And Debora Murray, what do you do?

Debora: I would say our local compliance officers at the different hospitals in our health system are really well educated about the exclusion screening process. And that it’s also included as a topic on our annual mandatory education that all 33,000 of our employees are required to take. They’re not all employees, I should say workforce members are required to take annually. So we always educate about it through our annual mandatory education and through our quarterly compliance newsletters. I have an article about exclusion screening at least annually, and one of the four issues that reminds leaders about this process and why we have it in place. And then we report out on our outcomes to our system compliance committee quarterly as well as our boards. And then we have a compliance work plan that’s based off of a risk assessment annually.

And we have an operations tab on that, if that makes sense, that incorporates things like policies and procedures, exclusion, screening, you know, rounding the compliance management system, hotline calls, and so forth, policies and procedures, and the like. So it falls under our operations grid of activities, which is posted internally on our compliance site. So we have a number of different ways we are constantly educating our employees and workforce about this process.

Matt: Okay. We now have a few minutes here to get to some of the questions audience members have asked. And actually, Gio, I’m gonna start with you because I saw you submitted a little note. We want to get to the competitive bidding issue. Gio, what was your…?

Giovanni: Yeah, I’d love to maybe just…maybe I can broaden this out a little bit. We’ve talked a lot today about how when you’re doing exclusion screening, you’re really kind of the center of a hub of a bunch of different things. You have your employees, and your volunteers, and your vendors, and all that. I’d love to hear from some people on the panel, kind of how you deal with some of that complexity, maybe it’s your volunteers, or maybe it’s your vendors, or something.

And maybe we start with you, Deborah Adkins. We were talking yesterday about how this concept of competitive bidding is opening up a bunch of new vendors that you need to consider in your exclusion process on a scale that is different from where it was before. And if anyone else wants to kind of weigh in on that or just kind of maybe talk about how some of the complexity outside of just your core employees kind of changes this process for you.

Deborah: Sure, as I mentioned earlier, the referring providers are kind of my pain point. Employees and vendors, I have really good data on. I’ve got, you know, your social security, your tax ID number, whatever. On a referring physician, I’ve got a name and address and an NPI. And you can imagine how many Dr. John Smiths there are in the world. And, you know, I’ve got about half a million providers in my database. And, you know, we are looking at every provider the first time they show up with an order. And then we are screening, you know, monthly in batches. And with competitive bidding, that just opens up the pool for who can provide, you know, the orthotics, one of, you know, our core business segment.

So, we’re struggling a little bit I will tell you with the volume right now and keeping up with that because of the lack of data. You really have to go, you know, over the river and through the woods to find out, especially when you go to, you know, the NPI registry, which of course is self-reported, and there’s no mandate for that to be updated on a routine basis. So I’m dealing with one right now. It’s been 11 years since that was… They’re in a whole different state now under a whole different license. So, you know, Google can be your friend a lot of times, additional lists, like we talked about earlier, looking at licensing boards in different states, so many more prescribing nurses now than there used to be.

And probably may sound a little bit sexist but, you know, a large majority of nurses are women, and there’s a lot of name change going on with married names and maiden names, which, you know, makes it very challenging. So, you know, it’s always challenging and it kind of peaks and varies with different things. So the competitive bidding is one area right now that is a bit of a challenge due to opening up that broader field.

Matt: We had a couple of questions about competitive bidding. So, Deborah Adkins, thank you for that. One person just asked very simply, “What about volunteers?” Where’s their exact question? “Our organization does check volunteers, is that recommended because they’re not paid staff?” Mikki Massey, how do you handle that at your hospital? Do you also do all of this with volunteers as well?

Mikki: Yeah, we consider volunteers part of our workforce, and therefore we screen them.

Matt: All right. And Debora Murray, do you have volunteers in the clinic there? Is this question for you?

Debora: Yes, we screen all our volunteers as well. They’re considered part of the workforce.

Matt: And then one last question. With vendors, how do you handle vendors that have multiple addresses or DBAs, doing business as? I don’t know if that’s near and dear to somebody’s heart here on the panel? Debora Murray, do you have a good answer for that? How would you handle vendors operating under multiple names?

Debora: Yeah. There are many vendors, I’ll use the example of MedStar, you know, ambulance, they’re in every state or a lot of states. So what I’ve done over the years is work with our supply chain people to have one contact person, a compliance officer preferably for that company, for the company we’re using. And I actually need to have nowadays a name of a direct person, a compliance or other person because we have a shortlist of 50 vendors that we audit annually. We audit three to five of them annually to make sure they have an effective compliance program in place. And you have to work with someone at that company. So we’re trying to more and more now get the name of a specific person and an email address that we can work with them to verify the data we need to obtain. It’s a challenge.

Matt: We are actually at the end of the hour here, so we are pretty much out of time. But Deborah Adkins, Mikki Massey, and Debora Murray, thank you all very much. This has been great. You’ve given us a lot of very detailed information. So we really appreciate your time. Gio, I don’t know if you’ve got any other closing remarks or anything that you wanna make, but this has been a fantastic hour for all of us.

Giovanni: Yeah, I’ll just reiterate that, Matt. This has been really interesting. It’s great, Deborah, Mikki, and Debora, to see…you know, I think that you guys really have a best-in-class approach to this. You work hard, you, you know, kind of focus on the right things, and you really do a lot of the work well to make sure that you’re doing this right. So I appreciate you coming on today, sharing some of your expertise with us and our audience. And I’m sure it’s given some people some things to work on, maybe think about, and maybe implement to sharpen things up. So, yeah, we can just wrap up. I appreciate everyone joining us today, everyone who has stayed on as attendees know that we’re gonna send you your certificate for SHRM credit and then also a wonderful eBook coming from Matt Kelly for you.

This has been Sanction Screening PPE 2021, Protect Against Potential Enforcement. It’s been a pleasure to spend some time with you all today. Please reach out to me directly. You can get my email or my LinkedIn. If we can help with any of this, if you just wanna kind of throw some ideas around or understand how to do this better we’d love to leverage our network and help you get it done, whether you’re a client or someone just trying to get this done right. This is an important and complex process for all of us to manage. And it’s been great having Deborah, Mikki, and Debora on to share with us some of your expertise. Thanks so much.

Debora: Thank you.

Matt: …for listening.

Mikki: Thank you, Matt.

Matt: Have a good day.

Giovanni: Bye, everyone. Thank you.