University of California San DiegoAudit & Management Advisory Services
Regents Committee on Compliance and AuditHealth Sciences Activities in Compliance
Kathleen Naughton: UCSD Health Sciences Chief Compliance & Privacy OfficerStephanie Burke: UCSD Asst. Vice Chancellor for Audit & Management Advisory Services
January 20, 2011
University of California, San Diego Governance Overview and Compliance Activities
Regents of the University of
California
UCSD Governance Organizational Structure 2010
President ofthe University of California
Academic Senate of the University of California
Shared Governance Responsibility
UCSD Chancellor
General Counsel
Secretary
Chief Compliance and Audit Officer
Treasurer UCSD Academic Senate
Senior VC – Academic Affairs
VC for Research
VC Marine Sciences
VC Student Affairs
VC Resource Mgnt & Planning
VC External and Business Affairs
VC Health Sciences and Dean SOM
UCSD Compliance, Audit, Risk and Ethics Committee
Standing Committees (23)Other Appointed Committees (5)
2
Compelling Agenda for Committee
ComplianceAuditRiskEthics
Themes for Committee
Sub Committees
Audit IssuesCompliance and
MonitoringRisk Assessment Research Oversight
Communication and Training
Transparency AccountabilityRisk Management
Health Sciences Compliance Student, Staff and Faculty
Ethics
UCSD Governance and Accountability Structure 2010
Information Privacy and Security
3
Auditing Controls: Controls performed outside of the line management structure by representatives of the governance function on a sample basis through a risk assessment process to assess the overall existence and effectiveness of the entire internal control environment.
Oversight Controls: Controls performed on a frequent and regular basis outside of a process but generally within the UCSD line management hierarchy by middle or senior managers and their representatives to gauge the effectiveness of operating and monitoring controls. In selected high risk cases such as health sciences billing, controls are performed by an organizationally separate compliance function.
Oversight Controls
(Compliance Responsibility)
Monitoring Controls
(Supervisory Responsibility)
Focused Reviews (Audit Resp)
Operating Controls(Employee Responsibility -
Controls Embedded in Processes)
Monitoring Controls: Controls performed within the process or immediately after the process by first line supervisors or representatives to insure operating controls are working effectively.
Operating Controls: Controls embedded in the process and which are provided by employees in the process to insure that process objectives are achieved.
UCSD Audit , Compliance and Line Management Responsibilities
4
Risk Assessment Activity and Coordination
Risk Management Responsibility
Senior VC – Academic Affairs
VC for Research
VC Marine Sciences
VC Student Affairs
VC Resource Management & Planning
VC External and Business Affairs
VC Health Sciences and Dean School of Medicine
UCSD Compliance, Audit, Risk and Ethics Committee
(CARE)Health
Sciences Corporate
Compliance
UCSD Chancellor
UC Systemwide Chief Compliance & Audit Officer
Information Security and
Privacy Function
Research Compliance
Audit & Management
Advisory Services
EH&S
Health Sciences Risk Management
Campus Risk Management
UCOP CFO Enterprise Risk Management Initiative
UCSD Decentralized Environment
UCSD Enterprise Risk Management Overview
5Health Science related
University of California San DiegoAudit & Management Advisory Services
Regents Committee on Compliance and Audit
University of California, San Diego Health Sciences Compliance Program Report
7
Outline• Organization
• Key Program Components
• Education initiatives
• Monitoring focus areas
• External government audit activity
• Work Plan
VC Health SciencesDavid Brenner, MD
Dean for Clinical AffairsThomas McAfee, MD
Chief Compliance & Privacy Officer
Kathleen Naughton
Executive ComplianceAdvisory Group
HS Compliance,Privacy &
Enterprise RiskManagement
Committee(HSCP-ERM)
Privacy Program Manager
Research ComplianceProgram Director
UCSDCompliance, Audit, Risk
& Ethics CommitteeCARE
(Campus)
UC San Diego Health SciencesCompliance Program
SVP Compliance& Audit
UC Systemwide
UC Board of Regents
Corporate Compliance Program Manager
Rev.: Dec-2010
Advisory Groups• Privacy Security
Advisory Board• Research
Compliance Advisory Committee
• Clinical Data Access Taskforce
Physician AdvisorCompliance & Privacy
Lee Giddings, MD
8
9
Key Program ComponentsCorporate Compliance, Privacy & Research Compliance Programs
1. Oversight2. Policies, standards, code of conduct3. Education *4. Communication, hot line5. Monitoring *6. Enforcement *7. Response, prevention initiatives
Incorporates the Federal Sentencing Guidelines’ 7 key elements for effective compliance programs.
* Education, monitoring & enforcement have the most
impact.
Education Initiatives – FY2011• Compliance Program▫ New employee orientation includes compliance / HIPAA▫ New clinical provider compliance training▫ Annual coder training (8 hours), webinars▫ Monthly newsletter, topic specific billing guides
• Privacy Program▫ HIPAA training (annually)▫ Posters: Information Security Awareness▫ Monthly newsletter, topic specific training modules
• Research Compliance Program▫ Training program for research staff▫ Monthly newsletter, posters, brochures
10
11
Program Focus Areas • Work Plan ▫ Risk assessments (annually)
• Monitoring & Reporting to Leadership (examples)▫ Billing: profiles, coding vs. documentation reviews, complaints▫ Privacy: electronic activity (surveillance of user access)▫ Clinical trials: risk assessments, compliance with standards ▫ COI: outside professional activity reports (APM-025)
• Enforcement & Prevention Methods▫ Refund over-payments, suspend billing▫ Implement corrective action plans▫ Change processes, update policies ▫ Provide training on procedures, offer continuing education▫ Apply sanctions in accordance with UC personnel policies
12
External Government Audits – FY2010• Compliance Program▫ Medicare Recovery Audit Contractors (RAC)▫ Medicaid Integrity Program Audits (MIP)▫ Office for Inspector General (OIG), self-audit(s)▫ Health Care Reform initiatives / ARRA Due to increased government funding to fight fraud and abuse, audit
activity will continue to rise. Expect scrutiny over the use of ARRA stimulus funds.
• Privacy Program▫ CDPH investigations: reported breaches (licensed facility): 17▫ Fines for serious breaches: 0▫ Fines for untimely reports: 0 Breach notifications are required to CDPH and the consumer within 5
business days. Fines for late reports: $100/day/name▫ Large scale incidents (>500): 0
13
Compliance Work Plan – FY2011• Compliance Program▫ Monitor billing claims to ensure accuracy Scheduled reviews, investigate billing complaints Assure that overpayments are refunded within 60-days (PPACA law) Use government audit activity to assess controls
▫ Monitor annual reports of outside professional activity (APM-025)▫ Participate in UC systemwide education initiatives ICD10: New diagnosis coding structure, effective 2013 Clinical research billing: Clarification of complex rules
• Privacy Program▫ Monitor user activity (electronic surveillance)▫ Investigate complaints▫ Update privacy policies & education modules (HITECH laws)▫ Promote privacy / information security (access control, encryption)
* Example of the compliance work plan, partial list
University of California San DiegoAudit & Management Advisory Services
Regents Committee on Compliance and Audit
University of California, San Diego Audit and Compliance COI Risk MitigationInformation Item - Appendix
Key risk areas for faculty and institutions: Conflict of Interest and Conflict of Commitment• Federal and state laws governing conflict of interest, conflict of
commitment, disclosure of financial interests for research and medical compensation are relatively complex.
• Changing environment: Federal regulations in this area are becoming more stringent and government funding for anti-fraud initiatives is on the rise.
• The appearance of a conflict can undermine public trust, even in situations where mitigating factors are made known to the public.
• The consequences of failure can adversely impact research, funding, and result in individual faculty penalties, fines, and license restrictions.
Risk area to the institution: Resources & Decentralized Processes• Current campus and departmental systems for tracking disclosures of
financial interests are manual, cumbersome and decentralized.
COI Risk Overview
New financial conflict of interest (FCOI) rules were proposed in the May 21, 2010 federal register in order to reduce conflict of interest in research. The proposed regulations would:
Require Public Health Service (PHS) funded investigators to disclose to their institutions all Significant Financial Interests (SFIs) related to their institutional responsibilities. This would move the responsibility for determining if an investigator's SFI are related to his/her PHS-supported research from the investigator to the institution.
Lower the monetary threshold at which interests require disclosure, generally from $10,000 to $5,000.
Require institutions to provide the PHS Awarding component (e.g., NIH) significant additional information on identified FCOI and how they are being managed.
Require every PHS-funded institution to post, on a publicly accessible website, information on certain SFIs that the institution has determined are related to PHS-funded research and constitute FCOI.
COI Changing Regulations
Patient Protection Affordable Care Act of 2010 (PPACA) includes a Physician Payment “Sunshine Act” Provision: Prevents conflict of interests and insures transparency of information for
patients by requiring all drug companies, device, and medical supply manufacturers to fully disclose to HHS and any gifts or payments made to physicians, as well as any other financial relationships that they may have with doctors, physician practices or physician groups.
Data is to be reported to the federal government electronically to ensure public availability of the data in an easily searchable format on a website.
Details:• Data recording begins January 1, 2012 and reporting start to the federal
government begins as early as March 2013. • Device, drug, medical supply, and biologic companies must report
information related to the nature of the payments and other transfers of value to physicians and hospitals for values of $10 or more (or for $100 total in a calendar year).
• This bill will pre-empt state laws that are similar or weaker than this provision, but will not pre-empt more restrictive laws.
COI Changing Regulations
Risks Risk Reduction
Conflict of Interest
(COI)
&
Conflict of Commitment
Submit: Calif. 700-U form (Conflict of Interest) for IRB research studies & service agreements with industry
Report: Outside Professional Time (APM-025)
Comply with Health Science department’s good standing” criteria – HS Compensation Plan (APM-670, Outside Professional Income)
Report: Time / Effort – research grants (Federal Regulation: OMB Circular A-21, J.10)
Adhere to UC’s policies and procedures for COI and health care vendor relationships
COI Risk Mitigation: Policy Requirements
UCSD COI Risk Mitigation: Focused Reviews
AMAS Review of Conflict of Commitment Policy (2007) Limited instances of non-compliance with policy Dean/departmental responsibilities for disclosures not clear Greater coordination and information exchange between COI and Academic
Personnel needed to monitor disclosures
AMAS Review of Health Sciences Research Conflict of Interest (2009) Disclosure form submission process was paper-based and complex Greater coordination and information exchange between COI, Human Subjects
and Contracts & Grants needed to monitor disclosures
AMAS Consultation on Disclosures for Non-Faculty Appointments Over 50% (2010) Employment contract clarifications needed
Current Systemwide Audit (in Process)
Education Initiatives – Health Sciences Compliance Program
Purpose:• Prevent, detect, and correct violations• Support the health science mission – quality patient care, teaching and
research • Demonstrate a commitment to making ethical decisions in an organizational
culture that values compliance and promotes awareness of duty to report concerns without fear of retaliation.
COI education points: • Avoid participating in, influencing, or making a decision that benefits your
financial interest• Duty to disclose, recuse, divest, and/or seek advice
Flexible, scalable approach to education / training: • Use staff meetings, the learning management system, webinars, newsletters,
posters, web resources, email, policy and guidance documents
UCSD Risk Mitigation: Oversight and Monitoring
UCSD COI Risk Mitigation: Oversight and Monitoring
UC San Diego Health Sciences – Compliance Program • The Compliance Program ensures that Health Sciences faculty and other
workforce members adhere to the myriad of regulatory requirements associated with UC’s mission of teaching, research and patient care.
• Compliance Advisory Group:• Reviews all conflict of commitment disclosures (Category 1 and 2) and advises
the VC-Health Sciences. Category 1 requires approval from the Vice-Chancellor and Chancellor.
• Issued a revised APM-025 form, “Reporting of Outside Professional Activities”, with assistance from UC counsel (FY11).
UC San Diego Health Sciences – Vice Chancellor’s Office• The Vice Chancellor’s Office implemented the revised APM-025 form which
combines required disclosures for time and income associated with outside professional activities by SOM faculty members. This form incorporates some anticipated changes in federal disclosure levels.
UCSD COI Risk Mitigation: Oversight and Monitoring
Health Sciences: • School of Medicine Dean’s Office established “good standing” criteria
which requires that departments have transparent implementing procedures for salary negotiation; and that faculty comply with the Health Sciences’ Code of Conduct and the annual reporting of outside professional activities in order to earn and directly retain income from such activities.
• The Compliance Program monitors faculty reports for compliance with APM025 policy.
• Office of Continuing Medical Education (OCME) requires speakers to disclose financial interests.
COI Risk Mitigation: System & Operational Improvements Planned
Development of a systemwide real-time on-line user-friendly system for disclosure of financial interests and tracking of research COI disclosures
Efforts are underway to develop campus-wide support for such a system. UCSD had dedicated a full time programmer to the Kuali-Coeus COI initiative, which is now gaining support from multiple campuses.
Expansion of the list of “designated officials” required to annually disclose financial interests to include Health Science department chairs, division chiefs and chief administrative officers.
Conclusion
Laws and regulations that govern conflict of interest, health care and research conduct are complicated, and penalties for not following these regulations are severe.
Audit and Compliance Program staff provide oversight, auditing and monitoring resources for managing areas of risk.