In this episode, Judy Waltz, Co-Chair of Foley’s Health Care Practice Group, and Shannon Sumner, Chief Compliance Officer and Nashville’s Office Managing Principal of PYA, dive into what it takes to get back to “normal” for compliance programs following the PHE and the burning questions clients are asking.
We encourage you to listen to the podcast in its entirety.
Please note that the interview copy below is not verbatim. We do our best to provide you with a summary of what is covered during the show. Thank you for your consideration, and enjoy the show!
Judy Waltz
Hello, and thank you to Angie and Jana for that wonderful introduction. I’m Judy Waltz, I’m Co-Chair of Foley’s Health Care Practice Group that has about 40 core health care lawyers and approximately 200 members in a larger sector strategy who service health care clients. My personal practice revolves around the federal health care programs, specifically a continuum of reimbursement and compliance issues that starts with reimbursement strategies and continues through regulatory compliance enforcement actions, false claims act settlements, CIA negotiations and implementations. And Shannon, why don’t you tell people what you do?
Shannon Sumner
Okay, well, hello everyone. I’m Shannon Sumner, I’m a Principal and Shareholder with PYA in our Nashville office, and I lead our firm’s regulatory compliance service line, and our team specializes in helping our clients with implementations of compliance programs, serving as an independent review organization to health systems and physician practices under corporate integrity agreements, to also serving as onsite and remote resources to compliance departments in fulfilling their compliance obligations and work plans. So we’re excited today, this is the purpose really of this first podcast in a series of podcasts, is what we like to call reflection and focus and getting back to normal for compliance programs following the public health emergency. We want to share ideas and insights regarding some of our most frequently asked questions by clients. So let’s go ahead and start, Judy.
Well, the first of today’s quick hits includes the topic that I think all of us will enjoy hearing, the PHE is over, finally, but now what? Well, essentially every compliance work plan should incorporate reviewing the areas, or some of our clients are actually utilizing what’s called departmental self-assessment, to really look at how they may have taken advantage of some of the waivers which have recently expired to ensure compliance. So really every work plan, if not already, should have some of those elements of assessing the waivers and how the organization has adapted to that. Now, both PYA and Foley have some really great resources available on our websites to include checklists, blogs, and webinars, so be sure to check them out. But really, Judy, what do you think the audience should really know that’s really important for after the PHE?
Judy Waltz
So I think this is an important topic for some reflection for people to do on their own. I mean, certainly we (Foley) have done it and we’ll give some of our thoughts. But I think it’s just a time where we had a very significant event and three years of rapid response and being in crisis mode really, and need to think about how that changed our programs in terms of compliance efforts and how it should change them. So compliance during that time likely became more reactive than proactive as we hope it to be, but there’s some lessons to be learned by that , as well. It may be specific to each entity. There may be some necessary process improvements because during the PHE, there was such a focus on getting things done that quite frankly, I’m sure that some shortcuts were taken. I’ve seen a few of them, and certainly they are understandable when everyone’s operating in crisis mode, but those need to be reexamined.
We have to figure out how to maintain the momentum of compliance, especially when people are just exhausted from COVID, and is there an attitude of tolerance? These were my thoughts as I was musing about what’s different in terms of my compliance practice, the compliance part of my practice post PHE. And one of the things that I have seen a lot of people raise is what I’m calling an attitude of tolerance, an expectation that if you were trying hard and got the job done [during the PHE] that some of the formalities may not have been totally complied with, but that the government and the enforcers will understand that. I don’t think they’re going to be that tolerant in terms of going forward, that I think that some of those formalities may be excused, but it’s not going to be the free for all that anything that happened during the PHE is going to be acceptable as long as you got a job done at the end of the day.
I think that we’re going to have to account for the funds that have been received in addition to the usual resources, just a lot of things that happened during the PHE that we’re going to have to be able to stand behind. And some places are also experiencing some resource limitations with the ebb and flow in terms of clinical procedures as people stayed home during the pandemic and then caught up after the pandemic and a lot of things of that sort. So Shannon, what are your ideas on all of this?
Shannon Sumner
I really agree with that in terms of compliance officers and compliance programs, even before the PHE, really struggled, in many cases, to be more proactive versus reactive. And then this came across and really lit the fire of having to think, going back in time a little bit to think about, well, how did we do it before? And the ways that we did it before might have not been optimal. To your point, I do feel as if we’ve learned many, many lessons of how can we be more efficient. I’m going to talk in just a moment about risk assessments and really understanding what are those risks outside of all those areas that were being thrown our way during COVID and the PHE. And really articulating some of the risks that are present for organizations, a lot of those are still there and were not addressed because of having to shift to dealing with the PHE.
I know of some clients and some compliance officers who literally were in the ER helping to do some administration and triaging in a non-clinical setting, but helping in some of those capacities. And in so many ways, I think all of us have our own levels of PTSD and how did we adapt? And certainly we have some of our amazing clients and friends in health care industry that were true warriors during this process. So really thinking about how to be back to normal., I don’t know if there ever will be such a thing, but there have been good lessons learned in terms of how we reacted, how we adapted, how we collaborated. I have seen some clients do some debriefs on where we had efficiencies, where we can continue some of those operations and taking advantage of some of the lessons that we’ve learned.
But one of the areas that we are starting to hear a lot more questions from our clients is related to, well, where do I focus? Now that we know of some of the areas that we dealt with during the epidemic or the pandemic, as we start thinking about it in terms of resources, we all kind of can go back to some of our tried and true, and one of those is really the OIG work plan. And so just reflecting back on some of those insights that were added just this past month in May, I really don’t think there’s a whole lot of areas that came as any surprise to our listeners. But one of the ones that was listed is related to opioid use, that is still considered a public health emergency in and of itself. And per the OIG website or the OIG work plan, it does talk about how, it’s a scary statistic, but in 2021, an estimated 82,310 opioid related overdose deaths occurred in the United States. I mean, that’s earth-shattering right there.
So the purpose of this particular alert from the OIG is really to focus on opioid use and Medicare Part D in 2022, they have an annual review, and so they’re actually going to be looking at that. And it does provide data on the number of enrollees who received extreme amounts of opioids through Part D, and who appeared to be doctor shopping. I know we’ve heard that before, but it also identifies prescribers who ordered opioids for large numbers of these enrollees. And so that brief actually provides data on the number of enrollees who received drugs to treat opioid use disorders and the number of enrollees who experience such an overdose. So that would be an area to continue to focus. And then obviously as a result of the pandemic, the analysis of patient harm events, the OIG will determine the extent to which hospitals identify patient harm events and report those events to external entities.
And then finally, one of the items that was listed in May was SNF initiated discharges. And it says that from 2011 through 2016, the Older Americans Act of 1965 was actually an advocate on behalf of older Americans. So they are starting to evaluate those discharges, to make sure that those discharges were appropriate. So for our audience, I think it would be really important to ensure that those items on your [local] work plan. But Judy, what are some other things that should be considered from that particular work plan or areas previously reported on the work plan?
Judy Waltz
So let me talk a little bit about the OIG work plan and how I see it factoring into compliance at various hospitals and other types of providers. So obviously it comes from the OIG and it’s now updated throughout the year. It used to be a one-time a year deal. For items to get on the work plan, one of the OIG offices has to propose that they will be undertaking or leading this study. And so usually by the time something gets to the work plan itself, the OIGs already identified a problem with that particular issue. So some of the statistics that Shannon just gave us, show that they know there’s a problem there. So definitely you need to monitor the work plan and figure out if any of these apply to you.
So these aren’t things that OIG just thinks might be a problem or might be kind of interesting to look at. They’ve identified enough to get some sort of formal approval in terms of going forward with spending the time and resources to look into whatever this topic is. So obviously monitoring that will give you some idea where the OIG is headed, where they’ve identified problematic areas, at least suspect problematic areas. In terms of how you use the [identified issues] though, obviously you’re not going to take every single issue that they identify the work plan and put it on your risk assessment. A risk assessment really needs, and Shannon can talk more about how these are actually done, but the risk assessment needs to be customized to the individual compliance program and where you identify your own highest risk. So this is one part of developing a risk assessment, but it’s not the end of the story. I also wanted to note that that OIG is saying that it’s two top priorities this year will be managed care and skilled nursing facility services.
So on the managed care side, it’s going to be interesting to see how that plays out. OIG has also said that they’ll be revisiting their compliance program guidance, all that stuff’s way old now, but the first one up that they plan to issue next year is going to be the managed care compliance guidance. So again, that circles back to what the OIG priorities are. And then with respect to SNFS, Shannon just shared with us that the SNF initiated discharges is something that OIG has identified as a very high risk topic.
So let’s move on, Shannon, let’s talk a little bit about DOJ compliance guidance. I think one question when people hear that there’s new compliance guidance from DOJ is how does that relate to me, I’m just a compliance officer, my small hospital has no criminal activity here. Well, the DOJ guidance, and again, it’s aimed at criminal cases, just because that’s where they’re focused in this particular guidance, and this is available on the DOJ website, which is www.justice.gov.
The reason is that it becomes something of a standard of care that if there’s guidance that indicates what DOJ thinks is a good compliance effort in terms of trying to prevent fraud, waste and abuse, certainly on the criminal side, but it becomes a standard of care in terms of metrics to apply to the program. There’s also a new DOJ self-disclosure process where I think we’re all familiar with the OIG self-disclosure process, and there’s also one for Stark cases that CMS operates. So now DOJ has its own self-disclosure process as well. And going back to the guidance though, the DOJ guidance that we were just talking about, not the self-disclosure, although you would probably be disclosing this as well, the guidance is indicative of DOJ’s focus now on voluntary compliance programs and assuring that they actually work.
They aren’t just a copy of a plan on a shelf, which I have a story that I won’t share right now, but I do have a story about compliance plans on the shelf. One of the elements in the guidance is to inflict personal pain, we’re talking about criminal cases here, but DOJ is looking for clawbacks. Clawbacks, meaning that if somebody contributed to a particular problem and they benefited from that in terms of their salary or their bonuses, that DOJ would expect a clawback of those bonuses and salary from the individual that was determined to be culpable. So from my experience, that never goes over well when you bring that up as a possibility. But again, this is likely to become a community standard in terms of expectations, not just from DOJ, but from OIG and all the way down. So Shannon, how about you share some more specifics on that with us?
Shannon Sumner
Yeah, I’d love to. You mentioned about the guidance and it’s most recently released communication, and that was actually back in March of this year, the DOJ does reference how they’re going to incorporate or how they have incorporated two significant changes to its process for evaluating executive compensation methods as a component of an organization’s compliance program. And they actually call it “consequence management,” and they will actually assess an organization’s use of consequence management as part of its valuation of a compliance program. So for example, does the organization not only detect non-compliant behavior, but also impose those financial penalties such as contractual provisions that require repayment of compensation received as a result of non-compliant behavior? So as you mentioned, Judy, those clawback provisions address such misconduct. But second, the DOJs criminal division is launching a three-year pilot program which will require that as part of a criminal resolution compliance programs include those compensation related criteria. And additionally, the program will offer fine reductions for organizations that clawback compensation in appropriate cases.
So as you mentioned, it’s not exactly an area that organizations may want to hear, but actually how would an organization actually go about incorporating some of these practices if they choose to go ahead and get ahead of this? So some of the areas when we have talked through this with our clients, a few of these questions have arisen in terms of how you actually would go about incorporating it. So first of all, when we think about performance and performance obligations, really looking at whether performance evaluations have compliance as an appraisal element for all employment levels, and does the organization align incentives and performance evaluation criteria with ethics and compliance objectives? So in many cases, you might have an organization that has what’s called a balance scorecard or other measures, but really is compliance a key element of that, and how would you go about actually implementing it?
It’s easy to say that you do it, but you really have to look at some of the challenges and some of the steps to actually incorporating those new expectations. For example, is the incentive program consistent with compliance program expectations and requirements? One example of this is whether there is a process to ensure bonuses and other incentives for ethical compliance behavior, whether they’re tied specifically to established and quantifiable metrics. So actually, how would you go about evaluating it, and is everyone on board with the requirements and the elements of those metrics and what the expectations are? And as I mentioned earlier about that balanced scorecard, it can only be balanced if it’s given the same weight, for example, as any financial, strategic or clinical and quality measures. Do job descriptions include a requirement regarding commitment to compliance and compliance program responsibilities?
And we have really seen these at varying levels, some may just highlight or allude to a compliant and ethical behavior, others that we have seen really go into a lot of detail, maybe even connected it to the compliance program and the additional policies and procedures related to the compliance program. Another area to consider are whether these expectations for a compliance program, are they clearly communicated during orientation and then again, an annual education, and then obviously periodically throughout the year, how are you communicating those expectations? And are callbacks already being used as a method to deter noncompliance? And one area that we had been asked and had a dialogue with human resources is whether those clawback processes are actually compliant with applicable state and federal laws. A few other areas to consider, what’s the organization’s process?
You mentioned, Judy, about self-reporting, but within the organization, are there processes for self-reporting related to your non-retaliation policy, to ensure those are aligned? And has the organization conducted that compliance program assessment? And whether or not, and I have seen some organizations that have done this and did this many, many years ago, which was actually leading edge at the time, is actually connecting a compliance program assessment to the senior leaders executive compensation. Just like any other measures, if they have great findings, then is that connected to maybe an incentive or a compensation bonus structure? If they have significant deficiencies over time, if it’s trended, how are those factored into those or those senior leaders executive compensation?
So there’s a lot of different moving parts to consider and areas to think through before this is something that you can actually just say, “Hey, we’re going to clawback provisions or compensation provisions.” So I thought those were some interesting concepts that have actually come up in some of our dialogue with our clients. But Judy, one of the things that you had talked about and alluded to earlier is really that risk assessment and how before or even during COVID, some of those risk assessments kind of went to the side and really focusing on more of a reactive strategy, but from someone who’s conducting a risk assessment, where do I start?
Judy Waltz
So you’re talking to a lawyer here, so I’m going to talk about attorney-client privilege, but I also want to just comment that post PHE seems like a particularly good time to be doing a risk assessment. It’s sort of a ground zero where you can assess what you have in place and what you need to dig in deeper on or retrofit or totally change directions. The new DOJ guidance obviously provides some additional reasons to do that. But let me talk about in terms of if you do decide to do a risk assessment, why, I, as a lawyer, would recommend that it be done under attorney-client privilege. And that’s because, we’ll see if Shannon agrees with me on this, the best possible result is that you identify a problem you had no clue was there. I mean, the risk assessment, you’re going to identify for the risk assessment, the areas that you want someone to look at, but believe me, some surprises come up along the way.
And the issue with attorney-client privilege is it’s sort of like the genie in the bottle, once it’s gone, once the genie’s out, there’s no getting that genie back in that bottle. And it’s the same way with attorney-client privilege, if you don’t set it up at the beginning with attorney-client privilege and then you find something awful, you can’t retroactively assert it to cover whatever it is you found. And believe me, I’ve had some people who really wanted to do that. So you can always waive the attorney-client privilege down the line, and I know some compliance programs have a very strict approach about attorney-client privileged investigations or risk assessments, with an idea that compliance means transparency, and I get that, and there may be processes that you have to go through. One of my clients used to, and they’ve gotten away from this now, but they used to require a long memo [to establish that a matter should be addressed under privilege].
You can always waive the attorney-client privilege down the line, and certainly if you find something that you have to deal with and disclose and repay an overpayment, you’re going to do that. But the attorney-client privilege protection just gives you a lot more options down the line than if it’s going to be circulated to the entire world or your company.
So I think that they always should be done under attorney-client privilege, but again, I’m an attorney. So Shannon, tell us more about doing the actual work with these risk assessments.
Shannon Sumner
Yeah, absolutely. And it’s interesting just hearing your perspective, because I’ve lived in this world and two different scenarios. One, before coming back to PYA, I was actually with an organization, we were a health care internal audit organization for about 16 years. And so reflecting back on when I would do our organizations risk assessment, those are the times when it was rare to be under privilege. But at the same time, to your point, Judy, we did not get into, in many cases, that level of analysis. It was more of here’s a risk area that we need to put on the work plan and then we will dive into it. And at that point in time, when we dove into the actual area, whether it’s a coding or billing documentation audit, or whether it was physician compensation arrangements, relationships with referral sources, at that time is when we would decide on whether to engage, whether to do it under attorney-client privilege.
From the perspective of being a consultant and actually conducting risk assessments for clients, we do see that more often, particularly when we get engaged, it might be because there is a identified area that needs a little bit more deeper dive. And so certainly to your point, and to use a southern expression, the horse has left the barn, you can’t put the horse back in the barn. And that’s the same scenarios that we would encounter in some cases when we had a risk assessment that was performed, we identified a particular compliance matter and then we would stop and then we would have discussion with outside counsel on moving that forward. So those are the two different worlds that I’ve lived in, but actually it can be a daunting task a little bit to do a risk assessment. But a few things that really I’ve seen of late with our clients as we review their compliance programs and in particular, their risk assessment processes.
Some of our clients, again, Judy, as you mentioned earlier, they have that risk assessment fatigue, similar to COVID fatigue, and for some of us who have gotten out of our fitness routines, we can also experience that muscle memory loss. Either we use it or we lose it. So conducting a risk assessment process is really similar, because of COVID, some providers were not able to complete their work plan items from 2020. So we are also seeing where some of those risk areas have just stayed on the work plan and they’ve been pushed from year to year. And to your point, Judy, now’s a great time to have that fresh start, to really look at because now we actually have risks that were not present a few years ago, certainly with telehealth and the advancement of that and the use of that and the embracement of telehealth, those are some areas that we’re going to see the no surprises act, so many different areas have resulted through the last couple of years.
And so not to mention, I think what’s been a challenge for many of our compliance professional friends, is that work from home really hasn’t done any favors to the risk assessment process to some extent, meaning many of our clients have voiced how important those face-to-face meetings, those team huddles, walk in the halls are to building those relationships and raising that organizational awareness to compliance risk. I think many of us have lost that in this pandemic. So as a result, I feel like compliance professionals actually have to work harder, in many ways, to identify compliance risks that may be hiding under the surface that historically would’ve been elevated during these impromptu meetings. As you mentioned, I think it is a good idea to really, as you go through that risk assessment process, to really truly think through the attorney-client privilege and how to make sure that those areas are being protected.
But there are a number of things that providers can do to make that risk assessment process a little less daunting. We recommend that providers really focus on those inputs to the process. And as I mentioned, when I was in internal audit and conducting risk assessments, I realized how important understanding what I would call your risk universe is as the first step. I mean, I learned so much about the ever-changing organization from the identification of new joint ventures. I mean, certainly there’s been a lot more of activity in this space and being creative with the different types of transactions, to new service lines, to various new strategic initiatives that truly did require an analysis of those compliance risks. One thing though that I learned is not to overcomplicate the process. I was so focused on using the quote, “right risk ranking system” that I lost sight of the bigger picture in trying to force that complex methodology.
And that is a question that we will get asked from time to time in terms of what’s a great compliance risk assessment tool that I can use? And sometimes we’ll look at that compliance risk assessment tool as we are evaluating the risk assessment process for a compliance assessment, and sometimes it’s more complicated really than it should be. And I think it’s also important to realize the importance of the compliance department in educating the organizational leaders, as well as the compliance committee on those emerging compliance risks. So without this engagement by the compliance department, I have seen some that really relied just on the questionnaire. I think that’s a great start, but I think you need to incorporate the other elements of the risk assessment process because I think it’s a fine balance because in my experience from my prior life in internal audit and as a compliance officer, sometimes a risk assessment can be easily influenced by a leader’s own personal experiences versus risk to the organization at present.
So that’s why you do need to seek out outside counsel, in many cases, to get thoughts, like call Judy and ask, what are you seeing, what are you seeing some of your other clients facing to really make sure that you have that holistic risk assessment process. And not to mention that the OIG has specific expectations for greater involvement by management in the risk assessment process. In fact, as many of us know in the latest corporate integrity agreements, the OIG actually has included language related to the compliance committee’s duties that specifically state their responsibility for implementation and oversight of the risk assessment and that internal, that really tried and true internal review process. But as such, we are seeing providers being much more deliberate in leveraging knowledge of the operational leaders. And some providers are actually creating a risk assessment subcommittee of the compliance committee, where that subcommittee rather than the compliance department is leading the charge for the risk assessment process.
Judy Waltz
Well, Shannon, let me just make a point before we move on here, and that’s once you have your risk assessment done, you need to make sure that everything that’s identified in there is dealt with. It increases your risk astronomically if you get a risk assessment done and then don’t address whatever is in there. So you’ve got to be committed and you’ve got to have your leadership committed that whatever it is that comes out of this risk assessment, you’re going to embrace and fix. And there may be some paybacks or change of processes, it isn’t something that you just do and check off that you’re done now. That’s one of the things that when you’re looking at CIDs, which are basically subpoenas on steroids, and they also allow for personal testimony, that’s the other big advantage for DOJ with a CID, that [the risk assessment report] will be one of the things that is requested, and so it can’t just be put on a shelf.
And Shannon, you also mentioned, I think you were talking about the OIG’s compliance program effectiveness toolkit earlier, and that’s available on the OIG website, a joint effort between OIG and HCCA that I have found very useful. It’s very long, it has a million questions, and I don’t use all million questions, but in terms of starting with trying to assess what is going on, it has a lot of just really useful checklist type things that I’ve just … I think it’s just a really helpful document to get. It doesn’t replace a risk assessment, but in terms of getting your head around where you need to go for these risk assessments, I think it’s very helpful.
Shannon Sumner
Judy, that’s a great point. I think that tool really helps to bring some practical guidance in terms of the expectations. Not everyone in every organization would be able to comply with all of those questions that you mentioned, but it really is a good tool. We actually utilize that in our compliance program assessments, we have seen many clients do that as well, to get a good foundational start to their risk assessment process, as well as their, what I call their foundational elements of their compliance program. One item that you just mentioned that made me think about the other topic that we want to cover is about not doing a risk assessment and putting it on a shelf. When we think of other areas of documented risk, one area that I know both Foley and PYA have seen a lot of recently is related to transactions, particularly due diligence related to various types of transactions.
One of the areas that I recall back in my audit days is I was involved in helping to lead the due diligence activities for two health systems coming together. And I’m going to date myself here, this was actually back when you printed things and you put them in three ring binders and you pulled them out and you flipped through them. And I can remember the transaction was closed, the joint names were going up on the buildings, and we were so excited. And I remember looking and thinking, there’s a lot of information in those three ring binders that we want to make sure that we address, related to due diligence. And certainly the DOJ has actually included guidance within their documentation of compliance programs and looking at some of those expectations, and one section really is related to transactions. And so in terms of the guidance, they really are talking about how that a well-designed compliance program will look at and conduct a comprehensive due diligence of any acquisition targets.
We see it where many of us have been involved in those activities, but what they actually say is certainly related to this due diligence activity, did you do the work, and did you follow up on that? So Judy, to your point, would you say that one of the biggest risk areas could be the identification of a risk and it just gets placed on that shelf, and from a figuratively speaking, not on a actual bookshelf, but maybe in files and electronic files somewhere. So what are your thoughts related to the due diligence activities and some of those risks that are identified?
Judy Waltz
Well, they’re critical, for sure. And I can tell you we do a lot of due diligence here, and it’s surprising what is found. And I’m also flashing back to a case of an acquisition that was handled not by our firm, but by a firm that wasn’t … I don’t know how it happened, but somehow the buyer ended up inadvertently acquiring a home health agency in Florida. Now talk about high risk. And they were not in the home health business, so somehow this asset came along with the deal. So then we handled the due diligence, which was after the acquisition. So it was already theirs then and they had to live with it. And there were some identified problems there, as you might imagine, from a home health agency in Florida.
So it’s very important that you know what you’re getting into, hopefully before you acquire these problems, because assuming that you’re, with respect to the federal health care programs, assuming that you’re acquiring the [provider] numbers, so here we’re talking mostly about part A, but also can extend into part B, you’re buying into those problems. There’s no saying that it happened before our time. It’s your problem once you get into the mix, and so it really is important to do that due diligence ahead of time.
Shannon Sumner
Yeah, I remember taking that document or that master plan for the due diligence, and actually that was my compliance work plan for at least a year to really get through that. And the good thing about on due diligence is that a lot of individuals and firms, and they’ve actually gone through and done a lot of the analysis to start with, but it’s really up to the compliance and other members of the organization to take those things seriously and making sure that you do have those work plans. So Judy, from a takeaway perspective, what are some of the areas that we should tell our audience to really take away from our podcast?
Judy Waltz
These are my thoughts, and then Shannon, feel free to throw anything else in. First of all, the PHE is over, that’s pretty obvious, but that’s something that we need to think about, how things are going back to a new normal or maybe an old normal in some respects, but the PHE is over, the waivers are gone, the tolerance for the chaos and all of that is over. So secondly, I’d say that compliance is going to be very important in the post PHE environment. And I think we need to take some time to identify, when I say we, I mean the collective we, not just we, Shannon and me, but we need to take some time to identify and process the lessons that our particular entity learned during the PHE. I’d suggest that people focus on the new DOJ guidance and take it as an indication that the enforcers are moving the needle, so to speak, in their expectations of the level of responsibility, particularly of the people at the top. And then I’d say consider a post PHE risk assessment. And Shannon, what about you?
Shannon Sumner
Yeah, definitely from the post PHE risk assessment, as I mentioned earlier, there were so many processes that were either consolidated or using more technology than before, and that certainly resulted in some efficiencies and some processes are sticking now that may not have been considered before we were thrown into this pandemic, I would say, to really take that look, to do that due diligence on your own processes to see were there any that are staying, do we need to update our policies and procedures? Because one statistic that I heard from a client that really hit home for me in terms of the organization really changed significantly, is when you think about how much turnover that many health systems had. And so you’re retraining and relearning a whole new workforce in some cases, and everyone kind of brings their own experiences, they bring their own talents, but there’s also some risk that could be present because you are having to retrain and reacclimate individuals to what is a compliant work environment.
And so also, we just covered a few areas today, but certainly there’s so many more areas that are ripe for a risk assessment. As I mentioned earlier, the no surprises act, pricing transparency, certainly cybersecurity is an area that we hear over and over again in terms of how do we ensure that we are staying on top of the internet of things. So there is a treasure trove, Judy, for compliance officers to take advantage of some of the resources that are available for identification of risk and to ensure that those risks are being dealt with, to your point, on an ongoing basis for the organization.
Judy Waltz
And with that, I think we’ll thank our audience for their time today. It’s been fun for Shannon and me to talk back and forth. We appreciate that you joined us.
Shannon Sumner
Thank you everyone.
Judy Waltz
And so now I’m going to turn you back over to Angie and Jana and they will have some concluding remarks. So Angie and Jana, up to you.
For more information regarding the “Let’s Talk Compliance” podcast series, please click here.