Structuring Compliance: The Duke Model

Transcription

1 Structuring Compliance: The Duke Model June 2, 2014 Michael L. Somich, Executive Director, Office of Internal Audits Tina R. Tyson, JD, Chief Ethics and Compliance Officer What is a Compliance Program? A program to effectively detect and prevent criminal conduct and promote an organizational culture that encourages ethical conduct and commitment to compliance with the laws and regulations. ( 8B2.1(a) Federal Sentencing Guidelines) 2 Effective Compliance Program Elements Under Federal Sentencing Guidelines Board level involvement and high level executive responsibilities Specify individual and operational responsibilities Implement and communicate written policies and procedures Develop policies and procedures for anonymous reporting and program effectiveness review Conduct monitoring and auditing Respond promptly to detected problems and undertake corrective action Enforce standards through well-publicized disciplinary guidelines Address risk assessment 3 1

2 Status at July 1, 2004 Duke University Health System Chief Compliance Officer Reported to Compliance/Audit Committee and CFO Formalized plan Emphasized third party billing/oig work plan Reliance on University for many compliance areas 4 Status at July 1, 2004 School of Medicine Chief Compliance Officer Reported to Vice Dean of Operations Risk assessment performed Emphasis on programmatic issues Clinical Trial Quality Assurance group Some coordination with others responsible for SOM compliance (animals, cost, OES) Role predominantly operations 5 Status at July 1, 2004 Duke University Decentralized No clear direction of responsibility No risk assessment and monitoring plan 6 2

3 June 2005 Senior Leadership (President, Chancellor of Health System, EVP, Provost, SOM Vice Dean for Operations, General Counsel) approved formation of a committee (Compliance Coordinating Committee) to identify gaps and create a formal institutional compliance program. 7 Institutional Compliance Plan What compelled Duke to do this? It was the right thing to do. Risk of not doing. 95% of OIG penalties can be waived if effective compliance plan is in place. Current environment (OIG) Other peer audits and disclosures (e.g. Northwestern, Johns Hopkins) Sarbanes environment, expectation of investment bankers and Board Many peer institutions had institutional compliance plans; Recent survey (2/05 NACUBO Business Officer): 43% in survey had an institutional compliance program 79% thought they should have one We did not know all the laws we were responsible for or who owned and managed them We had not provided expectations of people managing compliance There was a lot that we knew we did not know. 8 Desired Structure 9 3

4 Structure Goals Involve all Senior Management in Steering Committee Provide Health System opportunity to collaboratively participate and share its experience in compliance Acknowledge DU is providing basic monitoring of compliance for Health System There would not be a significant increase in cost. Additional cost will be distributed across campus Compliance Coordinating Committee will make recommendations; responsibility still lies with compliance officers/managers/liaisons and supervisors Once responsibilities are defined, need for Chief Compliance Officer is expected 10 Steering Committee Composition Senior Leadership: President (Brodhead) Chancellor (Dzau) Provost (Lange) Executive Vice President (Trask) SOM Vice Dean for Operations Academic Dean Arts & Sciences General Counsel 11 Steering Committee Mission/Objective Articulate corporate values Provide vision of institutional compliance Define levels of acceptable risk Provide visible support for compliance efforts Specify expectations of Compliance Coordinating Committee (CCC) Monitor activities of CCC Consider and approve recommendations of the CCC Receive CCC report to the Audit Committees 12 4

5 Compliance Coordinating Committee Composition Executive Director of Internal Audits Chair (Somich) Health System Corporate Compliance Officer School of Medicine Compliance Officer Research Costing Compliance Officer Vice Provost for Research NCAA Compliance Officer Registrar Financial Aid Representative Environmental Health and Safety representative Human Resources representative Office of Institutional Equity Steering Committee sets composition of Compliance Coordinating Committee 13 Compliance Coordinating Committee Divided into two groups: 1. Develop a matrix of Federal Sentencing Guidelines and how we will structure the Duke program to meet those requirements 2. Develop an inventory of laws and regulations Duke must comply with a. Identify owner (one of top four senior leaders) b. Identify compliance liaison (the manager of the process) 14 Issues of Concern Resources requirements Compliance officers/managers/liaisons not assigned for specific areas Compliance officers not monitoring, documenting, dealing with exceptions correctly; not meeting sentencing guideline requirements Behavioral changes required. Will the Steering Committee be committed to enforce change? 15 5

6 May Steering Committee Approved CCC proposed matrix of roles and responsibilities Approved inventory of laws and regulations and owners and managers of the compliance risks Approved next steps Code of Conduct to be developed Administrative Conflict of Interest process review Training of compliance managers/liaisons Orientation of new and existing employees Hot lines 16 Compliance Program Standards and Responsibilities Duke University: 2014 Compliance Program Standards and Responsibilities The US Federal Sentencing Guidelines describe the elements it considers when determining whether an organization has an effective compliance program: "an organization shall (1) exercise due diligence to prevent and detect criminal conduct and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law." The minimum elements required to demonstrate these points are as follows. GOVERNANCE PROGRAM DEVELOPMENT & OVERSIGHT RISK OWNERSHIP AUDIT COMPLIANCE PROGRAM STANDARD Audit Committee (AC) Risk Compliance Steering Committee (RCSC) Overall Duke University Ethics & Compliance Office andduke University Health System (DUHS) Senior Leadership & Operational Compliance Office Management Compliance Liaisons Office of Internal Audits, Duke University Ethics & Compliance Office, DUHS Compliance Office STANDARD 1: Review & approve major compliance policies. Review and approve major compliance policies. Manage operations in accordance Provide policy and procedural guidance to Develop and implement policies and with approved policies and liaisons. Provide recommendations to RCSC procedures related to assigned procedures. Implement operational and AC related to major policies. compliance risks. controls to support compliance. N/A Establishment of standards and procedures to Provide guidance to management prevent and detect criminal conduct. on appropriate controls and Demonstrate that mechanisms are Provide guidance to liaisons on key processes to address identified in place to identify problem areas Review reports of elements to be included in risk assessments, risks. Audit defined processes, Review reports of compliance and to prevent, detect and correct compliance activities to development of monitoring plans and Ensure appropriate processes are in where appropriate, to assess activities to evaluate adequacy of non-compliant behavior. Assist evaluate adequacy of respond to non-compliant behavior. Provide place to manage compliance risks. operational adequacy of standards and procedures. management in ensuring standards and procedures. guidance on controls and processes to compliance controls and appropriate processes are in place to address identified risks when appropriate. procedures, and to assess address compliance risks. compliance with regulatory requirements. 17 Fall 2006 Training and Risk Assessment Hired Institutional Ethics and Compliance Director Develop training of managers/liaisons Education Risk assessment Monitoring Reporting Remediation Execute training of managers/liaisons Perform initial risk assessment 18 6

7 2014 COMPLIANCE RISKS Impact HIGH IMPACT Animal Welfare Clinical Trials.gov Disclosure OTHER ISSUES Remaining Issues INSTITUTIONAL RISKS Athletics Clinical Trials Billing Conflict of Interest Effort Reporting Export Controls Foreign Corrupt Practices Act Human Subjects Research Protection HIGH PROBABILITY Research Costing Compliance Probability Reporting Institutional Risks Quarterly to IECP Director Report prepared for review by Steering Committee before Audit Committee High Probability or High Impact Semiannual reporting to IECP Director Reported to Steering Committee in advance of Audit Committee 20 Formation of the Restructured School of Medicine Compliance Office School of Medicine Chief Compliance Officer recruited at time that Duke was restructuring much of clinical research and internal controls around clinical trials billing Designed to be a fully effective compliance program under Federal Sentencing Guidelines 21 7

8 Initial Compliance Work Plan Scope Designed to assess the top compliance risks to the School of Medicine Baseline assessment Adjust the time frames for future reviews based on initial assessment audits Trend analysis Partner with Senior Leadership on global changes. 22 Risk Assessment Methodology The areas identified in initial work plan were prioritized based upon risk assessment using the following criteria were utilized: Financial and reputational impact The probability of occurrence The Office of the Inspector General s Work Plan High Risk Areas The audit findings and investigational results at other major universities Feedback from School of Medicine and Health System Administration Feedback from compliance liaisons The School of Medicine s enterprise-wide risk assessment 23 Methodology for Addressing and Allocating Risks within the Work Plan The following risks were deemed so significant to the School of Medicine that they were integral components of annual reviews. Areas requiring yearly review Clinical Trials Billing Conflict of Interest Research Financial Compliance Human Subject Research Health Insurance Portability and Accountability Act (HIPAA) a. HIPAA Privacy b. HIPAA Security 24 8

9 Additional Significant Risk Areas Additional areas stratified over first three to five years of work plan: 1. Select Agents 2. Institutional Biosafety Committee 3. Anatomical Gifts 4. Export Controls 5. Institutional Review Board/Office 6. Pre-Award Office (Office of Research Administration) 7. Post-Award Office (Office of Sponsored Programs) 8. Institutional Animal Care and Use Committee/Animal Welfare Assurance Office 9. Environmental Issues Occupational & Environmental Safety Office (OESO) 25 Staffing Senior Leadership wanted assessment of all risk areas within 3-5 years so that if trends were identified, enhanced tools and controls could be developed and they could be assured that all areas had been reviewed. Staffing projections required analysis of skills needed for different types of reviews 26 Clinical Trials Quality Assurance Human Subject Review Compliance Reviews and clinical trials billing compliance reviews (both review types for each protocol selected) Senior clinical research nurses, clinical trials billing administrators Train in audit skills Cross-train on risk areas 27 9

10 Compliance Review Services Conduct research financial compliance reviews and reviews of other highly regulated risk areas (IRB, IACUC, IBC, COI, etc.) Needed comprehensive understanding of different kinds of federal grants and specific requirements Requires good analytical skills, and ability to learn other risk areas Former directors of Pre Award and Post Award offices Grant managers Senior Internal Auditor Cross training 28 Analyzed numbers of reviews needed, stratified across 3-5 years Estimated time for completion of each type of review, number of reviews per year, number of auditor hours involved and calculated FTEs Worked with Senior Leadership and Chair of Audit Committee in getting FTEs approved Hiring and training took several months 29 Reporting Structure SOM Chief Compliance Officer reported to the Audit Committee of the Duke University Board of Trustees through the Chancellor of Health Affairs. Would also brief Senior Leadership of the University on major findings, status updates and work plan through the Institutional Compliance Steering Committee

11 Examples of Program Success: Conflict of Interest Detected areas for improvement in COI review and management process Organized COI Advisory Committee to oversee restructuring Advisory committee supervised outside consultants, drove deadlines, and redesigned process flow for vetting of COI forms Continues to provide advisory services and leadership in area of COI and recommends any policy or process changes Re-designed/approved/revised disclosure form Developed Institutional COI policy and process changes Continually tracks disclosure processing Recommends any needed policy or process changes Compliance office reviews conflict of interest annually 31 Clinical Research Units When trends identified in some areas, partnered with Senior Leadership to require: Enhanced training and competency testing for research personnel HR realignments Monitoring required on localized level with escalation and reporting to compliance office 32 Research Financial Compliance Tools and Technology Enhancements Coordinated with Senior Leadership regarding trends to enhance accountability and technological tools used to manage risks in this area Enhanced front end controls Risk based detailed assessments Enhancements to internal controls related to cost transfers New technology New Effort Reporting System MyResearch 33 11

12 Compliance Scorecards Compliance made very meaningful with departmental business managers. Compliance one of several factors linked to incentive compensation. Tracked monthly via School of Medicine Risk Assessment Committee 34 Program Evolution Institutional Compliance and Ethics Program merged with School of Medicine Compliance Office to form Duke Ethics and Compliance Office (DECO) Effective August 1, 2013, Duke University Ethics and Compliance Office was formed from the combination of: School of Medicine Compliance Office (SOMCO); and Institutional Ethics and Compliance Program (IECP) The combined office serves all of Duke University including the School of Medicine and School of Nursing and is under the leadership of Tina R. Tyson, J.D. as the Chief Ethics and Compliance Officer for Duke University. 35 Expansion All components of the former School of Medicine Compliance Office are still in effect, but the portfolio has been expanded to add: Ethics and Compliance Monitoring portfolio that was formerly part of the IECP Compliance auditing and advisory services on campus 36 12

13 Ethics and Compliance Monitoring Work with units across institution in defining regulatory risk areas and areas to self monitor Institutional risk areas have monitoring provided to DECO quarterly Second tier additional risk areas provide monitoring semi-annually All others provide monitoring annually 37 Institutional Compliance Risk Assessment Institutional Risks: Athletics - National Collegiate Athletic Association (NCAA) Clinical Trials Billing Conflict of Interest Effort Reporting Export Controls Foreign Corrupt Practices Act Human Subjects Research Protection IT Security Medical Insurance Billing (Monitored through DUHS Compliance and reported to DUHS Audit Committee) Risk Category Risk Ranking Impact and Probability Reporting Frequency Institutional High/High Quarterly Additional risks High/Medium or Medium/High Semi-annually All other risks Those not included above Annually Additional High Risks: Animal Welfare ClinicalTrials.gov Disclosure Research Costing Compliance including: Cost Allocation Standards, Cost & Salary Transfers, Specialized Service Centers, Subrecipient Monitoring, and Timeliness of Award Closeout 38 Compliance Audit Activities Duke Ethics & Compliance Office Compliance Review Services section (CRS) performs audits of research compliance for Schools, Departments, Centers, and Institutes. CRS Review Objectives: Institutional compliance with corrective actions from prior review Effort reporting NIH salary cap and cost sharing NIH Career (K) Awardeeslevel of effort and salary Administrative and clerical salaries Allowability and allocability of charges to federal grants Cost transfers HIPAA Privacy/IT Security Shared resources 39 13

14 Clinical Research Audit Activities Duke Ethics and Compliance Office Clinical Trials Quality Assurance section (CTQA) Reviews Studies for Review: Chosen based on 13 factor risk analysis Strategized across Clinical Research Units Modeled on FDA Reviews Focus: Good Clinical Practices Protocol Adherence (IRB Protocol) Federal regularity requirements Institutional policies and procedures Scope: IRB Documentation PI & Staff Qualifications Subject Documentation Inclusion/exclusion criteria (subject eligibility) Screening Enrollment logs Informed Consent Forms Delegation of Authority Correspondence Laboratory Documentation Test Article Accountability Case Report Forms Source Documentation HIPAA 40 Clinical Trials Billing Performed for protocols selected for human subjects research compliance reviews For billing risk studies, assess order sets and billing calendars after migration to Maestro Care Subject Capture Accuracy of capture of enrolled subjects Timeliness of entry Subjects identified in Billing system Corrections For studies designated as no billing risk, validate no billing risk determination

15 Benefits of Combining Programs Leverage monitoring to focus audit efforts in some risk areas Clinical Research Unit monitoring allows reduction in target numbers of Clinical Trials Quality Assurance Reviews Audits Risk prioritized based on monitoring results Expand Federal Grant related audits to campus schools Leverage resources and share management tools Trend analysis informs additional tools/controls Create capacity for additional value-added consulting efforts 43 Mission The Duke University Ethics and Compliance Office: Provides the vision for institutional compliance and articulate corporate values; Ensures that the program meets the elements of the Federal Sentencing Guidelines related to effective compliance programs; Defines levels of acceptable risk; Visibly supports compliance efforts; and Evaluates and responds to instances of noted noncompliance. The role of the office is to provide expertise, consultation and assessment in matters of compliance as well as to facilitate implementation of a "compliant culture" appropriate to a top-ten university with an academic medical center. In accordance with this mission, the office conducts compliance reviews related to Human Subjects Research Compliance, Clinical Trials Billing Compliance, Research Financial Compliance and other regulatory risk areas identified as part of the institutional risk assessment. 44 Contact information Michael L. Somich Executive Director, Office of Internal Audits msomich@duke.edu Tina R. Tyson, J.D. Chief Ethics & Compliance Officer tina.tyson@duke.edu 45 15