Webinar: Healthcare Sanction Screening-Better Strategies for New Risk
Sanctions checks are a core compliance duty for healthcare organizations. This session will review the right way to think about your sanctions risks, and what tools and strategies to employ to find sanctioned third parties and remove them from your operations. We’ll also talk about the challenges of sanctions screening when staff turnover is high and contract labor (traveling nurses, for example) is vital to deliver services.
Transcript for Healthcare Sanction Screening-Better Strategies for New Risk
Nick Gallo: Hello, everybody. Welcome to our webinar today. We’re here with Matt Kelly and Annmarie Gover. And as always, we want this to be a very dynamic conversation. We want it to be one where there’s a lot of participation from the audience that always ends up adding the most value. So, please keep those questions coming. And with that, Matt, the floor is yours.
Matt Kelly: Sure. Hello, everybody. And thank you for joining us today. We are here to talk about screening and exclusions in the healthcare sector, and how hospital systems, other healthcare firms can deal with that. It is an important compliance priority for healthcare for a couple of different reasons, mostly because you have to account for proper spending of federal healthcare dollars that go your way. So, you always have to keep an eye on who are your employees, who are your temp staff, who are your nursing staff who might be working for you, and whether or not they should be working for you if they’ve had some kind of past disciplinary action in their history that would rule them ineligible to be working on federal healthcare programs.
So, we’re here to talk about those kind of issues. And it is especially tricky these days because the pandemic has really left a lot of healthcare systems running at full tilt, and they are relying extensively on say traveling nurses, other temp staff. You have that extra dimension of variability about who are these employees? Where are they coming from? How do you know that they are going to pass screening or not?
So, there’s a lot of compliance issues that we have to think through here. That is what we are looking to do. For anybody who is not in healthcare but might be hanging out for the hour, anyways, we’re happy to have you here. We will try and tease out some of the best principles around employee background checks and screening that probably would be worthwhile for anybody in any business to address. So, that’s what we’re looking to do.
As Nick said, there are three people on the panel here today. There’s me, Matt Kelly, the moderator, and the Editor of “Radical Compliance.” I always like to say I love talking about this stuff. This stuff has anything to do with corporate compliance. So, if anybody has any ideas of what they wanna talk about, you can always drop me a line on email. You can always ask us questions here. But really the thought leaders that I will be talking to are Nick Gallo, the co-CEO and co-founder of ComplianceLine. And then Annmarie Gover, who is the Corporate Compliance Officer at PAM Health, which I believe is Post Acute Medical, in Pennsylvania. So, Ann, welcome, by the way. Thank you for being here today.
Annmarie Gover: Sure.
Matt: And then just to give everybody one last housekeeping sense of things, as I mentioned, we’re going to go for probably about an hour. We are going to try to carve this up into three or four big themes. Theme number one will be questions about where you can actually get reliable screening data to help you with your screening program. That’s gonna be the raw material you need.
Theme number two would be how do you then take that data? And what are the mechanics of how you would actually perform effective screening? And how does a program like that work? What can you automate? What should you not? How do you make sure that this is gonna be able to pass an audit? How is screening running these days when we’re in the midst of a pandemic and we’re dealing with various people in your workforce? And then some questions about how screening might fit into the larger corporate compliance and HR program you might have. How would it fit in with employee onboarding? How about termination policies? How about investigations and other things like that?
So, I’ve got a bunch of questions here, but I’m always eager to have listeners submit questions. You can just do that anytime they come to you on the Q&A function. We’ll have somebody behind the scenes here then feeding those questions to me. And we will either, if you ask a really good question, pop it to Annmarie and Nick right away, or we’ll save them up and we’ll try and get to those at the end of the webinar.
Nick: If I can add one thing, Matt, this is a great opportunity to connect with other people in the chat, so feel free to share questions to each other, to other practitioners. That’s a great way to get information. The way that ethics and compliance is gonna continue to elevate over this next decade is by us leaning into the special thing that we have, which is the culture that we have, and it’s a culture of sharing and it’s a culture of guardianship. So, the more of our tactics that we can share with each other, the more of our learnings we can share, the bigger the impact that we can make in our corners of the world. So, please ask those questions, connect with folks, and let’s jump in.
Matt: All right. So, Annmarie is the practitioner and honored guest here on the panel. I’m gonna put…
Annmarie: I don’t know how honored I am, but thank you.
Nick: High honored. Highly honored.
Matt: For, say, the novice healthcare compliance officer or for somebody, just to kind of set the table for us, walk us through sanctions and exclusion screening and what you’re trying to achieve. What would be the big objectives that you’re keeping in mind? And also, what are the big hurdles that you know you’re likely to encounter and you’re gonna have to anticipate? What would you say?
Annmarie: Okay, so I could talk for a lot of time on this. But I think for a novice compliance officer, I think that individual needs to ask a couple of questions. Who are your payers? In other words, do you submit bills or claims to Medicare, TRICARE, Medicaid? You know, state Medicaid organizations. There’s an Indian Health Services benefit that is out there. So, the question is, who are your payers? Because that is going to pretty much dictate what search engines you’re gonna have to access. So, that’s your first thing.
And then you got to… So, for instance, I have been very heavily involved in the Medicare space for many years. And it was just a no-brainer that I had to access the OIG, the list of entities, the LEIE, which is the list that’s there, and see if any of our…because we’re getting a lot of revenue from Medicare. So, that just puts you definitely in the federal space for purposes of exclusion screening. So, obviously, the LEIE was the first one to take a look at.
Then you have the General Services Administration, which is now sam.gov. These are databases provided to you by the federal government that are available online that you can go in and you can put in information. Now the question is, who do you search? Well, as the compliance officer for a large system of long-term acute care hospitals and rehabs, I’m searching everybody. I’m searching employees, I’m searching doctors we contract with as part of our credentialing for people to even come on the floor. They have to be checked. Our credentialing process has the exclusion check done at the beginning, you know. So, there’s employees, contracted doctors, there’s temporary workers. And we talk a little bit about COVID there.
One of the things that we have done, and this was prior to COVID because finding nurses was hard enough before COVID, and now it’s really, really hard is we had temp agencies and we actually contractually require the temp agencies to provide justification or certification that they have run everybody that they have that they’re sending us through the exclusion searches. So, we are not getting anybody who’s excluded.
So, even though we’re scrambling and we’re trying to find people to help our patients, that is still something that has to be done because if we ever would submit a claim for services they claim to Medicare and the services were rendered by a nurse who was excluded by the OIG because of substance abuse issues or a doctor who was excluded by the OIG for upcoding, any of those claims associated with those services pose a really big risk to the organization because we could then be slammed with, you know, criminal civil penalties, administrative sanctions, that sort of thing. The thing that hangs over the heads of anybody who contracts with Medicare as a provider is the…particularly if a lot of revenue is generated from Medicare receipts is the exclusion of that provider from the Medicare program.
And one of the things that we have to make sure that if we don’t do the exclusions of everybody who is providing services that we’re billing the government for, we have to… That’s always hanging over our head. They could say, “Hey, we’re no longer gonna issue provider numbers for you. You are no longer participating in Medicare program,” and then our whole company and our whole way of life kind of goes away. So, I’m rambling here. Did I answer most of your questions there?
Nick: Like, we’re just scratching the surface. Yeah.
Matt: Well, so, Nick, give me your perspective on this because Annmarie has a very up-close good sense of it from her corporate perspective. You deal with a whole lot of other companies. And so what do you see as the big challenges around a company building up an effective screening program, or what flawed assumptions do they have that will need attention? What do you think?
Nick: So, what we find… So, why don’t I start at one end of the spectrum where somebody ends up working with us who has been doing it on their own? What we find is that there’s just so many holes in the program, there’s so many holes in the system. And anybody who’s in this game can attest to, like, what a dirty job it is. The data is very disjointed, it’s all over the place. You’re asked to, like, well, figure it out, you know. Well, just make sure, you know, you’re not employing anybody sanctioned. It’s like, “Well, how do I know that this person isn’t excluded?” Well, you know, I don’t know, there’s dozens, and dozens, and dozens of lists. And if you’re gonna do it right, you have to get all those lists and you have to get all that data consistently because names change, and so forth.
So, you know, the thing that I always paint the picture of is somebody committed, you know, some kind of fraud in Arizona and now they’re working in South Carolina in your hospital going by their middle name and their maiden name. And it’s like, okay, well, you’re still responsible for that person just because their name has changed. And many times our only means to get a high confidence answer on whether this is a good or bad actor is just the data from our payroll system or from our HR system and the resultant data on the website or one of a dozen websites.
I mean, we’re all just humans, right? And because when somebody is trying to do it by hand or trying to do it themselves, it’s a very arduous task, and it ends up just not getting done. Like, even if it’s done consistently one month, the next month the odds of them skipping something, and so forth, is a lot higher. And what that results in is a lack of an audit trail. So, I’d love to hear your firsthand approach. I’m sure you’ve lived through audits and folks from CMS coming in and making sure that things are good to go. You know, I’d love to hear what they’re looking for in your experience. But from, you know, the conversations that we’ve had, the main thing to provide is a reputable process.
I think the auditors understand that this is a dirty process. They understand that, you know, only about half of what is on the state list winds up on the federal list. And while that’s supposed to be 30 days, it usually takes somewhere between 6 and 9 months, depending on the state for all those things to jive. So, they understand that the data is different. I think from folks that we’ve helped in their own audits, what they’ve said is that just the fact that they have an auditable process, when an auditor is asking, “Hey, you know, prove to me that this person was searched on this month two years ago,” or, “This person on this month, you know, last quarter.” Just being able to grab that information quickly in a coherent way helps provide the comfort that this auditor… Again, they understand it’s a very dirty job. It helps provide the comfort that there’s a genuine effort to try to make sure that bad actors are not coming through the system and defrauding the government.
Matt: Annmarie, if you wanna give any thoughts about that, about how you develop what Nick was describing there, repeatable process, even though it’s dirty work. But, I mean, what do you think of that?
Annmarie: So, my tip for everyone is this, you know, we talked about who your payers are. Now we need to talk about how many people that your business touches? How many employees do you have? How many physicians do you contract with? How many physicians do you credential? How many facilities do you have? What about all the temp?
So, I’m going on and on like this because you need to determine whether you can do this successfully and consistently in-house. And if you were looking at… I mean, one of the things that I’m going to say right out here having done compliance for a lot of years, it’s hard to get all the resources that you need in compliance. And one of the things that’s critical is that this process has got to be done consistently and on a regular basis. And just because you submit the names to these databases, then you end up with what I call false positives. And you can’t just let these false positives rest. You have to research them. You got to get additional information. Is the Sam Jones that’s coming up on the LEIE the same Sam Jones that works in your facility in New Orleans? You know. And what distinguishing factors can you have?
Just a quick war story from years ago. When I was working for a small HMO, and I was doing all this in-house, and it was very small, and I ended up with a member. I think it was a member. It just came up when we did all of our searches. There was a match of a “Slobodan Milošević” in Lebanon, Pennsylvania, who was 11 years old.
Now, obviously, that was against the terrorist list because Slobodan Milošević was on the terrorist list. So, obviously, that was not a match because 11-year-old… I’m hoping that we are not worried about an 11-year-old at this point. Now that was many years ago, so God knows what happens now.
But anyway, so you have to work the false positives and you got to document that you work for false positives. And you have to document that you disprove that that person is the person identified on the exclusion list, and you got to keep a paper trail with that. So, you’ll have to work with, and I wrote this down as a note, your best ally in your whole compliance program of which this exclusion searches are a part is really your chief legal officer. If your chief legal officer gets it that this has to be done, he or she will help you champion this process to your senior management team, your compliance committee, your board of directors, that sort of thing.
So, it’s not a one-size-fits-all approach. You have to figure out what your resources are, how many names you’re gonna be searching, do you have the bandwidth to be able to research everybody on a monthly basis like clockwork? And do all the research on the false positives. Our last one, we just did. We have seven false positives. So, our compliance manager is digging up additional information to figure out whether we can eliminate some of these names. So, that was my thought on that.
Matt: I wanted to chime in and just say we have this fascinating running chat going on right now.
Nick: It’s awesome.
Matt: Yes. So, I do want to, at some point, Nick, I promise I’m gonna give you a question about false negatives.
Nick: Oh, good. Yeah.
Matt: And also…Annmarie because I know you’re hot on false negatives. But I just wanted to kind of sum up some of what the chat is saying here. A lot of people are just asking about the actual lists you would use and which ones are or aren’t going to be reliable or complete. A lot of talk about they will use the LEIE and then try and cross-reference to the state lists, except they’ll have the names but the state list doesn’t have the date of birth or social security number. Now, what do I do? And various tips going back and forth.
And a lot of, you know, basically grief, I think, about these lists don’t necessarily overlap and line up very neatly. How do I get through that? Annmarie, since you’re in the trenches, let me just stick with you for a moment. Like, what do you say to all of this list overload and confusion situation?
Nick: Welcome to exclusion screening.
Annmarie: Yeah, welcome to exclusion screening. It’s a hot mess. I mean, it really is. You’ve got the LEIE and, you know, we’re supposed to be…you know. The OIG says we should be checking it, you know. At one point, they said periodically. And again, there’s not a requirement that I found from the OIG that we do this. The problem is you can’t not do it because the risk to your organization is too big. You have to do it on a regular basis.
Nick: Exactly, you have to do it. Exactly.
Annmarie: And so the latest recommendation is that you check it monthly. But you got the LEIE, and then, you know, the government got hit with COVID, too, so it took forever before COVID for those lists to be updated. And now it’s taken even more, you know. We’re talking about the government who still has to give refunds to people from 2020, okay, from the IRS. I mean, the government’s caught up in this whole thing, too. So, you got that. Then you have the SAM list, and, you know, the government, in its infinite wisdom, is trying to make these lists easier to deal with online to identify stuff.
But you gotta look at it this way if you have any Medicaid that you bill any of your things to Medicaid. Medicaid is a state program, but there’s also a federal program because there’s seed money from Medicaid into the state Medicaid coffers. So, for instance, our company is operating in many states. So, we have to check all of the state Medicaid lists as well, in addition to the LEIE and the GSA.
So, I don’t know whether I can tell you it’s good news. Like I said, it’s a hot mess. And you just have to figure out how you can consistently look at all of these databases. The LEIE is not the only thing you need to check. You just can’t. I did recognize that, you know, for TRICARE, for instance, they have exclusions but they rely on the OIG list, the LEIE list there. I mean, that seems to be the big search engine that you should use.
But there are others which you cannot deny. The one thing… There was a question here, maybe I’m jumping ahead. The social security death file. I’ve never used that. I’ve only relied on the LEIE and the GSA, and I’ve relied on the state Medicaid databases. I’ve looked at the terrorist databases after 9/11. That was a really huge thing, and that’s something that, you know, we don’t want to be contracting with people who are known terrorists. So, that’s another one. So, I wish I could tell you that there’s a silver bullet to all this. There isn’t, other than to stay extremely organized and document everything and keep it.
Matt: I see several people chiming in that they’re using upwards of 58 or 60 different lists to get their screening done. Nick, let me ask you what your thoughts would be about how the overworked compliance officer at one company can try and get their arms around this. How would they find partners to deal with? And this is one of those issues that actually…even for somebody who is not in healthcare, even somebody who is just doing anti-corruption screening for their global business across 19 different countries. Like, they have the exact same problem of trying to…
Nick: A hundred percent.
Matt: …find…data, and is it reliable? And is it accurate? Is it duplicative? I mean, how would they try and solve this at a strategic level?
Nick: So, I think that’s the right word, strategic. We have to, like, shed the 1900s thinking and we have to think, “Okay, how can I strategically solve for outcome?” And then let’s work back from that because it’s not about the hours worked or you doing the task or whatever. It’s about shielding the organization from the risks that can, to Annmarie’s point, cripple the organization if they’re not gonna get reimbursements anymore. So, how can we start to work back from that risk?
So, you know, just to echo some of the things that you said, you need to first see, like, what are the actual risks I’m facing? Who are these different parties involved? And then start diving into, well, what level of risk tolerance am I willing to take on? You know, I feel like you stole some of my notes, but really…
Annmarie: Sorry.
Nick: No, it’s fine. No, it’s fine. But, you know, partnering with legal and getting that guidance from legal and, hopefully, it’s somebody who gets it. I’d love to hear some horror stories about, in your past, what it was like kind of pushing that string up a hill for somebody who doesn’t get it. But, like, we have to first get the light bulb turned on on how important this is.
Like, this is not a check-the-box thing, you know, run those lists. It’s no big deal. The implications of an error can be vast and far-reaching, well outpacing, whatever. You know, if you have to hire five people to do it, it should be very easy to make that case. If you have to hire 15 people to do it, if you have to outsource it, like, it’s very easy to make the case because it drops in the bucket relative to the ocean of risk that can happen if you don’t have a credible process that’s not documented, that’s not auditable, and so forth.
So, you know, what I would look for, you know, if it were me, this seems, you know, in the scheme of a health system, regardless of the size, getting a partner who can help you do this and do a lot of the legwork. I mean, think about your health, or think about your paychecks, right? You know, back in the ’60s, every business of a certain size had a paycheck department, and those folks were running checks and putting them in people’s mailboxes. Well, a lot of that stuff has been outsourced so people can specialize on it. And there are still people who handle payroll within the organization, the people who are specialized and only able to do that aspect of the payroll process.
I think as we continue on into this decade and this century, and so forth, that focus of ethics and compliance professionals and the things that only they can do and outsourcing other pieces of the puzzle, whether it’s legwork, whether it’s a bit of the risk, whether it’s a bit of the process, all those things allow us to be, you know, really a lot more effective, and ultimately, create, like, leverage points for us to reduce risk in a meaningful way. Not these, like, little immaterial changes of checking the box, and so forth, but to materially reduce the risks that our organization faces because, again, one mess up can have, you know, rippling effects across the organization, and that means jobs, and that means, you know, 1,000 other kind of externalities.
Matt: So, one question I wanted to pick up on there, Nick, you had said… But one thing that you had mentioned was, what level of risk am I willing to take on? And I heard you say that, and my first thought was, “The word I is doing a lot of work in that sentence,” because it’s not really the compliance officers’ call necessarily. We will be this risk-tolerant. You know, you have to get a sense of what does the organization wanna do? What does legal wanna do? What does the board agree with or not?
And I don’t know if you have any thoughts, maybe Annmarie or Nick, you know, like, how challenging can it be just to get the group to say, “We are gonna define our risk tolerance here, and we all understand that. We accept it.” Sometimes that can be really hard for an organization.
Nick: So, I think at some level, they’re relying on the practitioner to guide them through it. So, unless there’s somebody on the board or unless there’s somebody on the executive level that’s been through this process or swam in the pools that Annmarie has swum in for so long, they’re not gonna know. So, I mean, that’s kind of why I said the word I because it’s kind of up to you at some level to help guide them and be the Sherpa on this mountain of risk you’re trying to traverse, you know.
Matt: Sure…
Annmarie: So, I always feel that it’s my responsibility to educate. you know. We in compliance do this job. Nobody else does it. Legal doesn’t do it. You know, your chief medical officer doesn’t do it. Your, you know, chief operating officer doesn’t do it. You are in this position. They put you in this position for a reason. And one of the things that I have always tried to do over my career is that if I have issues that I need to raise up, maybe through the compliance committee meetings or through senior management, I put together bullet points that seemed…you know. If you start talking a lot of jargon with these people, it’s gonna go right over their head. You got to bring it down to them and say, “Look, this is what sanction screening is about. This is why we have to do it. Here’s what happens if we don’t.”
You know, if you educate and make sure that you feel comfortable that you’ve given them all of the information that they need to be able to make, you know, a good risk analysis on this and you’ve documented that you’ve done it… Sometimes I do a lot of CLIA, you know. You do that as compliance officers. But as long as you’ve provided all that information and you’ve documented it to them, then I think that that’s your responsibility in this whole thing.
Now, do I get a little dogged about some of this stuff and a little, like, “No, we have to do it?” Yes, I do. Because I know what is supposed to be what we face as an organization with regard to risk. Eighty percent of our income is from Medicare. So, we’ve got to do it all right, you know, and there’s not a question. We’ve got to do it all right. So, that’s where I feel the importance, you know. As a compliance officer to feel like you’ve done your job, you need to make sure that you’ve educated well.
Matt: Okay. Nick, I promised I would give you a question about false negatives, and the risks thereof.
Nick: Thank you.
Matt: Go for it. What are your thoughts about this?
Nick: So, in all sort of scientific study or statistical analysis, there are two types of errors that exist. There’s a Type 1 error and a Type 2 error. So, a Type 1 error is the one everybody talks about, it’s the false positive. False positive, false positive. Absolutely, that’s an error. The Type 2 error is the false negatives. And I think that’s where the risk is. So, I’d love to get your perspective on this, Annmarie, but let’s just use an analogy. A Type 1 error is, you know, you give me your basket of apples to monitor or to check and make sure that there’s no bad apples in there.
A Type 1 error is saying, “Oh, look at this apple. It’s a good apple. This good apple is bad,” and I throw it out. “This can’t be in here,” and I throw it out. That’s a Type 1 error. That’s a false positive. The other one is, “Look at this apple. This apple looks good. It’s a bad apple, it’s rotten out,” and I throw it back in the basket. Those Type 2 errors are harder to get, but that’s where the risk is because if you carry forward the Type 1 error and you don’t hire somebody because of it, and they say, “Well, why didn’t you hire me?” And you say, “Well, you’ve been sanctioned in Arizona.” And they say, “Well, I’ve never lived in Arizona.” You say, “Okay, well, that’s a false positive.” Okay, great. Like, we have to rule out the false positives for sure. But the real risk is that we have a bad actor who’s changed their name, they’re going by their middle name or something, and they end up kind of making it through the net because our net isn’t sort of tight enough.
And we did a benchmark study about a year ago on all the confirmed matches that we found, and it was something like 84% were these Type 2 errors. Only, you know, that 16% or something like that were these Type 1 errors, or they were the confirmed matches from, you know, an exact match scenario.
So, that extra layer of that research is what can really allow you to have a higher chance of catching these bad actors that are gonna slip through on that exact match basis. So, we kind of take this Type 2 approach because I think, like I said, that’s where the risk is. And the Type 1s are gonna kind of take care of themselves in a coherent process. It’s a little bit more effort, but if you’re trying to solve it right and you’re trying to have that confidence when you go to the board to ask for the next thing, or if you’re able to stand on the work that you’re doing as a guardian of the organization with this particular risk, I mean, I just feel a lot more confident in those conversations knowing that I’m not just relying solely on an exact match algorithm. Because to Annmarie’s point, it’s a hot mess. The data is all crazy and it’s all over the place and it doesn’t always tie out.
Matt: Annmarie, what do you think of all that?
Annmarie: Well, I think you have a responsibility. Obviously, the false positives can be very easily worked and thrown out. And then you have the ones with, you know, the nicknames and all of the different places that… Some of these bad actors move across the country all over the place. And so, you know, what I do, I start out with…you know. What we do, obviously, use third party to do this because the numbers are so high.
But when we get information that looks like a possible match, we do all the research to either rule them out or identify them as somebody who needs to be excluded or someone whose employment needs to be terminated or whose contract needs to be terminated. And I think you have a responsibility to research all of those to rule people out or in, I mean, if you have to do it.
Nick: A hundred percent.
Annmarie: And you have to get a little creative on how you’re gonna do things. I mean, you know, John Smith, what is his last known address? Well, let’s Google. Let’s see what happens. Let’s see. Do we have…? If it’s an employee, I have them give me a copy of the employment application. What are their names they might have gone by? Where they’ve lived in the past. What does the resume look like? You know, what other jobs have they done? Are they new to the health insurance industry? Did they work at McDonald’s before? You know.
So, you have to get ingenious about… When all of those potential matches come back, the issue is you end up with this Type 2 scenario when you don’t research them and identify them as either being excluded or not being excluded.
Nick: Exactly.
Annmarie: So, you can’t, you know, just… I think it’s even more difficult from an audit perspective. You can show them that you’ve done these sanction checks, but if there’s a pile of false positives you haven’t worked, that is really damning.
Nick: Totally.
Annmarie: Because you have not done a due diligence to make sure that to the best of your information, knowledge, and belief, you have identified anybody who could possibly, you know, be on that list and you haven’t worked it.
Nick: Yeah, I mean, there’s no consistency of closing those loops. If there’s a pile of false positives to your point, or just a pile of matches that haven’t been rolled out, or work, that’s not a very…you know. That kind of a process from an auditors perspective, that doesn’t give them the warm and fuzzies that they wanna have to give, you know, that seal of approval.
Matt: Here’s a question from a listener. I’m not sure who might be able to answer this but, “If somebody uses a false name and you rule them out but they’re found to have a sanction against them, whose fault is it? Won’t they be more at fault as they falsified their identity in the first place?
Nick: That’s a good question. What do you think, Annmarie?
Annmarie: Well, I think in that situation, you’ve got to make sure you’ve documented every single effort that you did that was reasonable to identify that individual. Because, you know, to the extent that you can use, you know, NPI numbers, or you can use, you know, the last four digits of a social security number, or the birth date or the address. I mean, you have to show that you’ve done whatever you can do.
If they’ve used a false name and the government hasn’t found them yet, well, that’s one thing, but if they used a false name and you had information that you could easily or readily identify to rule that person as someone who’s excluded, I think that’s where you have to…then you’ve got to do it.
So, it’s hard, guys. It’s hard. And that’s why I think hot mess. I keep using that word. Bar these words. But I think that you have to do the best you can to document and do your due diligence on it… The other thing is…
Nick: Go ahead.
Annmarie: …if you’re in a situation whereby you have done your due diligence and you can’t rule them out…We have had this happen, you know. A well-known name, Justin… I’m just gonna throw this out. It’s not anybody. Identities are, you know, not here, but I’m just using this name as an example. Justin Chavez. There’s a ton of Justin Chavezs, just like there are Jill Smiths, okay?
And using a very common name, we did all of the research that we needed to do, and we could not rule them out. We just couldn’t. We called to get additional information from the government to the extent we could and we just couldn’t do it. So, it was an employee, and they were on a Medicaid list in one state and they were currently working for us in another state. And we did everything we could. We documented it, and we actually had him sign an affidavit that, “I am not the person listed on the LEIE list.” That’s our last resort.
But remember, too, if you have an employee and, you know, employees are at-will employees, and if there’s documentation that shows that there’s a really good chance that they’re persons on the excluded list, you gotta get rid of them. You don’t have a choice.
Nick: Yeah, that, you know, to your point, though, there I think we’re trying to prove… So, I don’t think this is like a foot fault game. If you have a great process and you’re putting forth reasonable efforts to get to a conclusion on all these names and they’re being worked and you have this auditable process in place and there’s a scenario like this where somebody has defrauded the government or something, you know, correct me if I’m wrong, I just don’t think that’s the glaring risk. The glaring risk is what can you actually control?
And I think the way you described it as reasonable, I think that’s the name of the game. There are those scenarios that you were talking about where the data doesn’t jive and you can’t get to this person to say, “Well, what’s your middle name?” Or, “What’s your maiden name?” Or, “What’s your birthdate?” Or whatever in that case, or maybe that information is often not even contained on the sanction that you’re using as your primary source to determine whether this person is in or out. And that affidavit is such a lock solid. Again, in the context of a coherent, cohesive program, that is such a lock solid safety net to give you that security that says, “Listen, if this person gets audited, you say, ‘Listen, I have a signature here, and I have a reason. And by the way, here’s my audit trail of me searching them repeatedly, and here’s my logic on why I made the decision I made.'”
Annmarie: So, I would not jump to the affidavit. That is like your last step.
Nick: A hundred percent.
Annmarie: You still have to do all of your research and document that you’ve looked at reasonable pieces of data that you’ve looked at Google, you’ve asked them for their driver’s license, you’ve looked at their job application, you’ve looked at their NPI number, you’ve looked at all of these things. And then, at that point, after all these steps that you’ve taken and you can’t move anybody out, your affidavit is your last step. But it has to be married with proof and documentation of your prior research.
Nick: Exactly. Yeah. And all that research should be documented as well. Yeah, that’s exactly right.
Matt: Here’s another question from a listener. “How much of the initial screening pre-hire falls on HR rather than compliance?” Annmarie, that sounds like a question for you first.
Annmarie: Oh, HR does it all for us, and it’s got to be done before hire. Don’t give them an offer letter until they’ve gone through the screening and you’ve ruled them out. That’s really critical. It can’t be done at the same time you’re sending a hire letter out, and it can’t be done after you’ve brought them on board. It’s got to be done before.
HR handles all of that. They have a process. And, in fact, that’s another element of documentation that I ask for so that what I have after the employee has been hired, I’ll call HR and say, “Hey, send me your screening list that you did before you hired them. I wanna see it,” and then they’ll send it to me. Because obviously, you can’t just do this upon hire. You got to keep doing it as long as they are employed by your organization, as long as the doctors are contracted with your organization, or they’re credentialed by you at the hospitals, you know. This is an ongoing thing. So, oh, absolutely. I don’t wanna even be involved with dealing with the people that were interviewing before we hire them. I want that HR does it. So, they do it.
Matt: So, describe for me your diplomatic relations with the HR department because that can be contentious for a lot of compliance and HR teams at a lot of companies. So, how do you get them to work well?
Annmarie: Well, one of the things that I think, just as a personal note, one of the things that I think has helped me in my career is that I generally get along with most everybody, unless we have a lot of… You know, there’s always people that are difficult in the workplace. But the HR department, when I was working with in the office was right down the hall, the VP of HR was right next to me. The Senior VP, our people officer was right next to me. And so, you know, I fostered a relationship with them from a collegial, you know, co-worker stance so that, you know, when we have to be dealing on some of these issues, it works really well. We work well together. I’m appreciative of them. They’re appreciative of me. You know, you work on developing those relationships in an organization so that when you have these issues that come up that it works well.
So, I have not ever had trouble with HR. There’s been an interesting… I’ve had, you know, some issues relative to working with legal counsel because remember a compliance officer’s positions on certain things is different than legal counsel. Legal counsel is concerned about protecting the organization. Compliance officer usually tends to be, you know, let’s do a lot more thinking about disclosing, or let’s do a lot more thinking about some of these things, and legal counsel looks and says, “Well, do we have to do it? Because legally, do we have to do it?” So, yeah. And I have more trouble or have in the past in having some little minor skirmishes with legal counsel on issues that I have with HR.
Matt: Okay. Nick, here’s a question that maybe I could put to you. But somebody was asking, “Do you ever run into situations where the temp agency or the agency doing pre-hire checks doesn’t know that they need to check state lists as well as federal lists?” And I wanna tweak that a bit to just maybe talk a bit more about how a compliance officer can work well with perhaps multiple contractors performing screening for them, and how you make sure that everybody is working together on the same page and going towards the same goals. I don’t know if you have any thoughts and advice about that.
Nick: Well, I do have some thoughts, actually. Yeah. So, Annmarie had said something earlier about them working with a temp agency where they required them to do some checks. And I was actually curious about, well, what standard are you asking them to check? Is it check it themselves? Is it across all 42 lists? All the state lists? Like, what level of screening did you require them to do? Because, as you can imagine, it’s all across the board. I mean, the temp agency game is a very difficult game, kind of regardless of industry. There’s a lot of the same economics at play because, essentially, the barriers to entry are, in general, pretty low.
So, it’s a thin margin game, and at some level, they’re competing on price, or they’re gonna compete on quality. So, if they’re competing on quality and they can charge a little bit more, they have to find a way to, like, prove that to the hospital system or the healthcare system that they’re providing labor to. But, you know, I don’t know. I mean, when you go out to eat, unless it says organic, they’re probably not spending as much as they can on food because they’re trying to get a little bit more of that margin. So, it’s easy to say, “Yeah, we do exclusion screening,” but what does that mean? Are you checking one list? Are you checking 60 lists? How deep of a dive are you doing?
Annmarie: Well, here’s what you do. I mean, I think what we’ve done is we always control this contractually. So, we put in our temp agency contracts exactly what databases we want them to search. And we also say, “You will not send us a nurse. A nurse will not go on to our floor and provide services to any patients unless you can certify.” And before they send us all the information, there’s a checklist and it says, “We certify that we’ve checked all of the exclusion lists and this person isn’t on it.”
So, we control it by contract, and we control it by the information that they send along with the temp before the temp appears into the hospital to go onto the floor. So, this protects us in a couple of ways. Obviously, legally, you know. If they’d send us somebody that they didn’t check, you know, and we end up finding out about it, then we can point back to the fact that we contractually required them to do it and they didn’t do it. And so that helps a lot.
We have not taken on because of, internally, the checking of temp employees, you know, as part of our checking at this point. I mean, that’s a revolving door.
Nick: Totally.
Annmarie: I mean, we’ve got temp employees that come and work three days and walk out, you know. And we also have nurses that do that, too, particularly when we had COVID that hit. They just said, you know, they weren’t signed up to treat people with COVID. But the bottom line is we do it contractually. We try to hold their feet to the fire relative to that, and then we make sure that they check before they send us a nurse that says, “We have checked the exclusion list and the person is not on it.”
Nick: Yeah. So, that sounds like you guys have a really great process for that, and it sounds like you have a great partner that you trust. And again, to some degree, you have that sort of firewall, because you have that contractually in there, and they’ve contractually agreed to, you know, do these lists and do them appropriately. It’s just gonna kind of depend, I think, the source that you’re getting this temp labor from and the extent to which you can sort of trust that they’re gonna those things. But building that into the contract is an absolute best practice. And to the extent, you can articulate what list you want checked and, hopefully, get that mirror to your own process. You’re just, again, gonna materially reduce that risk that could potentially be making its way into your organization through that revolving door.
Matt: Yeah, I wanted to ask another question about the audit process itself when HHS or some other auditor shows up. And Nick, you had said that they want to see that there is a sturdy and repeatable process. But I wanted to see if maybe either of you could flesh out a bit more. What should that be? Or what would a thoughtful process look like? And, for example, Annmarie, when you said having somebody sign an affidavit, that is the last step. I mean, in theory, you could have them just sign it as a first step, and like, “Oh, well, hey, man, they signed it. I guess we’re good.” Nobody’s going to accept that as a thoughtful process. So, what would a thoughtful process here look like that auditors will say, “Checks out, that’s great?” Nick, what do you think ,first, and then Annmarie if you have any ideas?
Nick: So, just like if you’re getting a tech audit, you wanna make sure that the people handling your tech have a SOC 2 certification. There are corollaries of this kind of thing in different industries, whether they’re ISO or they’re, you know, whatever. So, in our credentialing game, there’s an NCQA certification. So, that in itself seems to help a lot of these audits when they come in. I’m talking about for people that partner with us. The fact that we’re NCQA-certified, it’s a high bar for us to get over to show our processes work and our lists are updated quickly, appropriately, searches are done to a high level of quality.
That is a good sort of first step in terms of, like, well, who are you partnering with? But beyond that, to Annmarie’s point, it needs to be a consistent process, and there needs to be some kind of a policy around it. I mean, at some level, you’re kind of painting a picture that says, “Hey, I’m putting forth reasonable efforts to this thing that you guys care about. I’m putting forth reasonable efforts to make sure that I’m not letting bad apples in the basket.” So, do you have a policy? How often is that updated? Is it once every five years or never? Is it once every year or every two years? That’s obviously better. How often are you updating your internal lists?
I mean, there are some folks, you know, not naming any names, but they’ve had the same employee list that we’re monitoring that hasn’t been updated. That’s not that good of a situation. So, if you can show that, “Hey, listen, you know, I have a feed that’s going directly to my partner,” or, “Each month I’m grabbing a list from the HR system and I’m bouncing that against the lists that I’m searching,” that’s kind of the next step of it. What is my algorithm? Like, what’s the quality of my algorithm? Is it just an exact match basis? That’s not that reasonable for anybody who’s been in this game that knows it’s the hot mess that Annmarie has referred to because the data is dirty, right? Like, what data am I bouncing against these lists? And then, you know, finally, that sort of next mile of it is, what kind of research am I consistently doing, and how quickly am I ruling out these items?
You know, it’s all gonna start, though, from them just like any auditor, whether it’s a CPA doing a financial audit, or somebody coming and auditing your process. They’re not gonna go through line-by-line of all the millions of searches that you’ve done over the last 10 years. They’re going to do a sampling. And you know that. I mean, this is just basic statistical analysis that if I pull a reasonable size sample, I’m gonna get a good indication for the broader process. So, the point is, if you’re doing the process consistently, then whatever they sample, you’re gonna be able to explain away, or you’re gonna be able to show your receipts, so to speak, on the work that you’ve consistently applied to. You know, again, reasonably rule out or reasonably eliminate the risks in this really messy process.
Annmarie: So, I do have one… I’m sorry. Go ahead, Matt.
Matt: No, I was just gonna say, “What are your thoughts?” That’s all.
Annmarie: I’m like, “Okay, gotta talk about this. So, a couple of things as Nick was talking about the one customer apparently, one entity that is using an old employee list. When we submit our information to our vendor to do this, we rely on the updated roles of employees that are in HR, actually from the payroll list. And so when that payroll list changes, people drop off, whatever it is, or they’re new employees, you know they’re gonna want to get paid.
Nick: Got it. Great point.
Annmarie: So, you know payroll list has got to be updated. And then also, we have a credentialing list, and we have people who are doing nothing but credentialing for our physicians that wanna come treat their patients at our hospitals. Or, you know, we have a list of contracted doctors that are on call and our medical directors. You know, we rely on the credentialing list, which is constantly moving, but it is always updated.
So, HR can’t just give you a list on January 1st, and you’re still using in April 1st. You’ve got to make sure that you get those updated names. And the easiest way to do that is to leverage the databases that your credentialing people have and that your HR people have relative to who’s functioning in your organization because they have to be updated. Because let me tell you, an employee certainly wants to make sure they’re getting paid. So, they’re working there. They’re gonna be on that payroll list.
Nick: Well, that’s a really smart best practice because that’s gonna give you the highest confidence interval that you’re checking the people that are in play right now, you know. But, I mean, you know, the thing I always tell folks is, like, how can you prove that you’re putting forth a genuine effort, and how can you prove that that effort is reasonable, given the risks at hand? I mean, everything you said today, Annmarie, to me, checks both of those criteria.
Annmarie: Well, you know, okay, guys, let’s look at it this way. Let’s look at emails. Hillary Clinton knows that emails are discoverable, right? You know. We know about all that stuff, right? That whole thing with that, and there have been other emails. You see excerpts of emails in litigation, in situations not even involving the healthcare. So, what I’m trying to stay in all this is this, when we request, there’s an email trail when our compliance manager asks.
Nick: Great point.
Annmarie: If they ask for the credentialing list, and then the credentialing list is sent in a file via email back to Jolin. All of our emails are documented. You know, there’s a paper trail is what I’m trying to say. So, all of those steps showing that you’re doing your due diligence to get the most updated list of employees or doctors is in your email.
Nick: Yeah, and I think the other way to look at it is, like, if you’re putting forth a genuine process, there’s gonna be evidence of that genuine process everywhere. Like, if you’re genuinely trying to live a healthy lifestyle, well, you’re gonna have genuine data points throughout your day, what you eat, all those, you know. You’re gonna have receipts on your credit card statement that you’re not going to fast food. All that evidence is naturally gonna be there if you’re just solving for a genuine outcome, reasonable extinguishment of the risks that are at hand.
Annmarie: Right.
Matt: Here’s another detailed question from one of the listeners, I guess, probably to Annmarie. “How are you capturing students in the exclusion screening process?”
Annmarie: Well, students… We have affiliation agreements with different universities in the towns in which our hospitals operate. We don’t pay them, so they’re obviously not on employment rolls. To the extent that a student… I’m just thinking about this. Maybe a nursing student would be coming in as part of our affiliation agreement through University of Texas or something.
And to be truthful, I haven’t really spent a lot of time on that because…and I have to look back at our agreements to see if it’s covered in there. But generally speaking, I don’t believe the risk is as high if you’re dealing with a nursing student.
Nick: It’s not.
Annmarie: And so they’re possibly, but I don’t think it’s as you’re not paying the individual. There are certain limitations about what a nursing student can do on the floor, vis-à-vis kids are not licensed. There’s always somebody with them overseeing the work. So, that’s a very good question.
Matt: What about volunteers?
Annmarie: I haven’t really worried about being high-risk on that one.
Nick: So, I think the same thing…correct me if I’m wrong. It’s kind of the same answer for volunteers. I think what I’ve seen… You know, again, we have people across the board that we help out. I would say the top decile people or the top decile organizations we work with, they’ll do stuff that, you know, to Annmarie’s point, they’re screening everybody. They’re screening volunteers, they’re getting a list of students, they’re getting a list of anybody kind of coming in and touching it because again, think about, like, part of it… At some level, this is a persuasion game, right? Like, we’re dealing with dirty data. It’s a hot mess. The battle we’re fighting is really against an auditor or us getting pinched by, you know, our process not working. So, if you come in and you’re like, “Yeah, I got a list I updated every quarter, you know. Yeah, I have this pile of, you know, false positives, like I got to sort through,” that paints a very different picture than, “Hey, here’s my email trail. Here I’m checking everybody. I’m checking even the people that aren’t doing these things, and I’ve outsourced that,” or whatever.
It gives a different…you know. The eyes eat first. And auditors are human beings. We need to keep that in mind. When you can serve up a little package to them, you know, and they’re like, “What is your policy?” And they see you’re looking under the rocks that, you know, even are kind of the low-risk rocks, it just paints a different picture about the program that you’re operating than something that seems a little bit more half haphazard or, you know, less consistently applied.
Matt: So, we only have about five minutes left. I wanted to sneak in one bigger picture question here if I could, maybe for Annmarie first and then Nick, but how much does the screening program work with or depend on the other parts of the compliance program? Because, you know, you might need a good internal reporting program so employees could maybe report somebody they know who shouldn’t be there. You might need solid and reliable investigation procedures. We had a lot of questions about termination procedures, how to make sure that all of that goes smoothly. So, there’s a lot of other policy management issues, internal reporting issues. And I was just curious if you could talk a bit about how important it is to have all that other stuff lined up so that the sanction screening fits in nicely with the whole.
Nick: Totally.
Matt: What do you think, Annmarie?
Annmarie: Well, you know, the sanction screening is one element of an effective compliance program. And, you know, when you have a federal auditor coming in and looking at your compliance program, they’re gonna look at exclusion screening but they’re gonna look at a heck of a lot more. Have you met the seven elements of a compliance program as identified, you know, by the corporate U.S. sentencing guidelines? You know, have you done those sorts of things? So, you know, you could have a very robust screening program, but if you don’t have a robust or an effective compliance program, you’re kind of SOL from my perspective because you really have to have. It is an important component that must be addressed, but it is part of the larger compliance program that needs to be there, an effective compliance program.
Nick: Totally spot on.
Annmarie: There’s the cat.
Nick: Oh, you’ve got a friend. We got a little friend join us.
Annmarie: Hi, everybody, this is Harry.
Nick: Hi, Harry.
Annmarie: He was sleeping for most of the time, but now he’s here.
Nick: Oh, the star of the show graced us with his presence right on the back, and I love it.
Matt: So, Nick, do you have any other…maybe final words or anything before we wrap up here?
Nick: Yeah, I mean, to Annmarie’s point, this has been a great webinar. I thought this has been phenomenal. But to your point, there’s also a lot of data in here, you know. The battle that I always hear folks in ethics and compliance fighting is, like, people look at us as a cost center. People don’t appreciate the effort that we’re doing. I have the weight of the world on my shoulders, and I don’t get the resources we need.
So, again, there’s an internal persuasion game that the sanction screening and exclusion screening process can help bolster the case for the extreme value that Ethics and Compliance departments play for their broader organization. So, some simple benchmarking, which we’ve helped some folks with to show, like, “Hey, these are the kind of risks that we would kind of face. This is what we’ve extinguished.” You know, it’s hard just by the nature of the roles that we have. Like, how much money have you saved in insurance premium uptakes from, you know, you driving responsibly? You can’t quantify. It’s hard to. So, you have to kind of get a little aggressive and a little creative with taking credit for that and painting the picture for the work that is done because, again, an error on this side of the fence, even in, you know, a good compliance program can have rippling effects across the organization, and then all that blame is gonna fall to the side.
So, articulating our value within an organization is I think one of the other massive opportunities that we have. And we just have so much data, and we have so much benchmarking opportunity for this particular role to again show a different side of the facet of the shape of a strong compliance program that we’re offering.
Matt: All right.
Annmarie: Right.
Matt: Well, we will have to leave it there. But Annmarie Gover and Nick Gallo, you guys have been great speakers. We have a whole bunch of people asking for a part two webinar sometime in the future.
Nick: The sequel. Hopefully, this will be a good sequel.
Matt: So, who knows? We’ll pass that on to the ComplianceLine marketing people, see what they say.
Nick: Okay, good.
Matt: But thank you to ComplianceLine for hosting this event, and thank you to everybody who’s joined us today. So, that should be all. And have a good day, everyone.
Nick: Bye, everyone. Thanks for joining us.
Annmarie: Bye, everybody.
Nick: Take care.