university of california, san diego university of...

University of California San DiegoAudit & Management Advisory Services

Regents Committee on Compliance and AuditHealth Sciences Activities in Compliance

Kathleen Naughton: UCSD Health Sciences Chief Compliance & Privacy OfficerStephanie Burke: UCSD Asst. Vice Chancellor for Audit & Management Advisory Services

January 20, 2011

University of California, San Diego Governance Overview and Compliance Activities

Regents of the University of

California

UCSD Governance Organizational Structure 2010

President ofthe University of California

Academic Senate of the University of California

Shared Governance Responsibility

UCSD Chancellor

General Counsel

Secretary

Chief Compliance and Audit Officer

Treasurer UCSD Academic Senate

Senior VC – Academic Affairs

VC for Research

VC Marine Sciences

VC Student Affairs

VC Resource Mgnt & Planning

VC External and Business Affairs

VC Health Sciences and Dean SOM

UCSD Compliance, Audit, Risk and Ethics Committee

Standing Committees (23)Other Appointed Committees (5)

2

Presenter

Presentation Notes

Governance is defined as the process through which: Values and goals are established and communicated The accomplishment of goals is monitored Accountability is ensured, and Values are preserved The UC Regents, the UC President, and the UC Academic Senate have shared governance responsibility for University wide operations. The UCSD Chancellor and UCSD academic senate have similar responsibility for UCSD operations.

Compelling Agenda for Committee

ComplianceAuditRiskEthics

Themes for Committee

Sub Committees

Audit IssuesCompliance and

MonitoringRisk Assessment Research Oversight

Communication and Training

Transparency AccountabilityRisk Management

Health Sciences Compliance Student, Staff and Faculty

Ethics

UCSD Governance and Accountability Structure 2010

Information Privacy and Security

3

Presenter

Presentation Notes

UCSD has a highly collaborative culture and decentralized environment with effective communication channels between and among Vice Chancellor organizations. As a result, the campus philosophy is to leverage limited campus resources by integrating and consolidating governance and assurance reporting and oversight activities under a single Compliance, Audit, Risk, and Ethics (CARE) Committee, which reports to the Chancellor in an advisory capacity. UCSD Compliance and Audit & Management Advisory Services report periodically to CARE, and work cooperatively to leverage their individual risk assessment and risk mitigation efforts. UCSD CARE is chaired by the UCSD Chief Ethics and Compliance Officer, and is composed of representatives from each UCSD Vice Chancellor area, as well as various ex-officio positions such as the UCOP Chief Compliance and Audit Officer, the local UCSD Health Sciences Compliance Officer, and the local AVC for Audit Services. CARE provides for a centralized campus governance model and is used as a forum for discussion and mitigation of risks which cross various Vice Chancellor boundaries.

Auditing Controls: Controls performed outside of the line management structure by representatives of the governance function on a sample basis through a risk assessment process to assess the overall existence and effectiveness of the entire internal control environment.

Oversight Controls: Controls performed on a frequent and regular basis outside of a process but generally within the UCSD line management hierarchy by middle or senior managers and their representatives to gauge the effectiveness of operating and monitoring controls. In selected high risk cases such as health sciences billing, controls are performed by an organizationally separate compliance function.

Oversight Controls

(Compliance Responsibility)

Monitoring Controls

(Supervisory Responsibility)

Focused Reviews (Audit Resp)

Operating Controls(Employee Responsibility -

Controls Embedded in Processes)

Monitoring Controls: Controls performed within the process or immediately after the process by first line supervisors or representatives to insure operating controls are working effectively.

Operating Controls: Controls embedded in the process and which are provided by employees in the process to insure that process objectives are achieved.

UCSD Audit , Compliance and Line Management Responsibilities

4

Presenter

Presentation Notes

As the next slide depicts, UCSD Audit Services, Compliance , and line management work collaboratively to assure that responsibilities for oversight, monitoring, and operating controls are well-understood. This graphic helps explain the difference between line management, compliance, and audit perspectives on control.

Risk Assessment Activity and Coordination

Risk Management Responsibility

Senior VC – Academic Affairs

VC for Research

VC Marine Sciences

VC Student Affairs

VC Resource Management & Planning

VC External and Business Affairs

VC Health Sciences and Dean School of Medicine

UCSD Compliance, Audit, Risk and Ethics Committee

(CARE)Health

Sciences Corporate

Compliance

UCSD Chancellor

UC Systemwide Chief Compliance & Audit Officer

Information Security and

Privacy Function

Research Compliance

Audit & Management

Advisory Services

EH&S

Health Sciences Risk Management

Campus Risk Management

UCOP CFO Enterprise Risk Management Initiative

UCSD Decentralized Environment

UCSD Enterprise Risk Management Overview

5Health Science related

Presenter

Presentation Notes

While risk management is ultimately the responsibility of line management, the UCSD CARE Committee acts in a collaborative manner to assure that risk assessment activities are well coordinated among all the campus parties involved. Individual UCSD Audit & Management Advisory Services and UCSD Health Sciences Compliance annual risk assessments are generally conducted to formulate respective annual work plans. These efforts may include the following: Extensive Interviews with Campus Management CARE Committee Input Sought UCOP Input Sought Analytical Review Performed: department audits, health sciences regulatory topics, financial trends External Auditing Literature and Trends Evaluated Staff Input and Prior Audit Suggestions Sought Review of Regulatory Developments Conducted Other Risk Assessment Initiatives Considered Campus Risk Comparisons Conducted Formal Risk Model and Rankings Applied by Compliance and Audit Services Throughout the year, Compliance and Audit communicate on a project by project basis to assure that activities are activities are well-coordinated and that we are doing our best collaboratively to reduce significant risk . You will find an example of this effort in the informational item provided to you today on conflict of interest risk.


Regents Committee on Compliance and Audit

University of California, San Diego Health Sciences Compliance Program Report

7

Outline• Organization

• Key Program Components

• Education initiatives

• Monitoring focus areas

• External government audit activity

• Work Plan

VC Health SciencesDavid Brenner, MD

Dean for Clinical AffairsThomas McAfee, MD

Chief Compliance & Privacy Officer

Kathleen Naughton

Executive ComplianceAdvisory Group

HS Compliance,Privacy &

Enterprise RiskManagement

Committee(HSCP-ERM)

Privacy Program Manager

Research ComplianceProgram Director

UCSDCompliance, Audit, Risk

& Ethics CommitteeCARE

(Campus)

UC San Diego Health SciencesCompliance Program

SVP Compliance& Audit

UC Systemwide

UC Board of Regents

Corporate Compliance Program Manager

Rev.: Dec-2010

Advisory Groups• Privacy Security

Advisory Board• Research

Compliance Advisory Committee

• Clinical Data Access Taskforce

Physician AdvisorCompliance & Privacy

Lee Giddings, MD

8

9

Key Program ComponentsCorporate Compliance, Privacy & Research Compliance Programs

1. Oversight2. Policies, standards, code of conduct3. Education *4. Communication, hot line5. Monitoring *6. Enforcement *7. Response, prevention initiatives

Incorporates the Federal Sentencing Guidelines’ 7 key elements for effective compliance programs.

* Education, monitoring & enforcement have the most

impact.

Education Initiatives – FY2011• Compliance Program▫ New employee orientation includes compliance / HIPAA▫ New clinical provider compliance training▫ Annual coder training (8 hours), webinars▫ Monthly newsletter, topic specific billing guides

• Privacy Program▫ HIPAA training (annually)▫ Posters: Information Security Awareness▫ Monthly newsletter, topic specific training modules

• Research Compliance Program▫ Training program for research staff▫ Monthly newsletter, posters, brochures

10

11

Program Focus Areas • Work Plan ▫ Risk assessments (annually)

• Monitoring & Reporting to Leadership (examples)▫ Billing: profiles, coding vs. documentation reviews, complaints▫ Privacy: electronic activity (surveillance of user access)▫ Clinical trials: risk assessments, compliance with standards ▫ COI: outside professional activity reports (APM-025)

• Enforcement & Prevention Methods▫ Refund over-payments, suspend billing▫ Implement corrective action plans▫ Change processes, update policies ▫ Provide training on procedures, offer continuing education▫ Apply sanctions in accordance with UC personnel policies

12

External Government Audits – FY2010• Compliance Program▫ Medicare Recovery Audit Contractors (RAC)▫ Medicaid Integrity Program Audits (MIP)▫ Office for Inspector General (OIG), self-audit(s)▫ Health Care Reform initiatives / ARRA Due to increased government funding to fight fraud and abuse, audit

activity will continue to rise. Expect scrutiny over the use of ARRA stimulus funds.

• Privacy Program▫ CDPH investigations: reported breaches (licensed facility): 17▫ Fines for serious breaches: 0▫ Fines for untimely reports: 0 Breach notifications are required to CDPH and the consumer within 5

business days. Fines for late reports: $100/day/name▫ Large scale incidents (>500): 0

13

Compliance Work Plan – FY2011• Compliance Program▫ Monitor billing claims to ensure accuracy Scheduled reviews, investigate billing complaints Assure that overpayments are refunded within 60-days (PPACA law) Use government audit activity to assess controls

▫ Monitor annual reports of outside professional activity (APM-025)▫ Participate in UC systemwide education initiatives ICD10: New diagnosis coding structure, effective 2013 Clinical research billing: Clarification of complex rules

• Privacy Program▫ Monitor user activity (electronic surveillance)▫ Investigate complaints▫ Update privacy policies & education modules (HITECH laws)▫ Promote privacy / information security (access control, encryption)

* Example of the compliance work plan, partial list


Regents Committee on Compliance and Audit

University of California, San Diego Audit and Compliance COI Risk MitigationInformation Item - Appendix

Key risk areas for faculty and institutions: Conflict of Interest and Conflict of Commitment• Federal and state laws governing conflict of interest, conflict of

commitment, disclosure of financial interests for research and medical compensation are relatively complex.

• Changing environment: Federal regulations in this area are becoming more stringent and government funding for anti-fraud initiatives is on the rise.

• The appearance of a conflict can undermine public trust, even in situations where mitigating factors are made known to the public.

• The consequences of failure can adversely impact research, funding, and result in individual faculty penalties, fines, and license restrictions.

Risk area to the institution: Resources & Decentralized Processes• Current campus and departmental systems for tracking disclosures of

financial interests are manual, cumbersome and decentralized.

COI Risk Overview

Presenter

Presentation Notes

A specific example of a risk identified by both Health Sciences Compliance and Audit & Management Advisory Services is Conflict of Interest (COI). This area is considered high risk for a number of reasons (see bullet points.)

New financial conflict of interest (FCOI) rules were proposed in the May 21, 2010 federal register in order to reduce conflict of interest in research. The proposed regulations would:

Require Public Health Service (PHS) funded investigators to disclose to their institutions all Significant Financial Interests (SFIs) related to their institutional responsibilities. This would move the responsibility for determining if an investigator's SFI are related to his/her PHS-supported research from the investigator to the institution.

Lower the monetary threshold at which interests require disclosure, generally from $10,000 to $5,000.

Require institutions to provide the PHS Awarding component (e.g., NIH) significant additional information on identified FCOI and how they are being managed.

Require every PHS-funded institution to post, on a publicly accessible website, information on certain SFIs that the institution has determined are related to PHS-funded research and constitute FCOI.

COI Changing Regulations

Presenter

Presentation Notes

Patient Protection Affordable Care Act of 2010 (PPACA) includes a Physician Payment “Sunshine Act” Provision: Prevents conflict of interests and insures transparency of information for

patients by requiring all drug companies, device, and medical supply manufacturers to fully disclose to HHS and any gifts or payments made to physicians, as well as any other financial relationships that they may have with doctors, physician practices or physician groups.

Data is to be reported to the federal government electronically to ensure public availability of the data in an easily searchable format on a website.

Details:• Data recording begins January 1, 2012 and reporting start to the federal

government begins as early as March 2013. • Device, drug, medical supply, and biologic companies must report

information related to the nature of the payments and other transfers of value to physicians and hospitals for values of $10 or more (or for $100 total in a calendar year).

• This bill will pre-empt state laws that are similar or weaker than this provision, but will not pre-empt more restrictive laws.

COI Changing Regulations

Presenter

Presentation Notes

While this provision is described by some as seriously flawed in that it requires reporting in an aggressive timeframe without specifying what agency is to receive this data, or otherwise establishing accountability for implementation and oversight at the federal level. Thus, too much data in an unorganized or confusing format may prove to be less than useful. However, there is no doubt that the provision will result in public greater scrutiny of payments made to UC physicians at a time when our systems and processes for capturing potential conflict of interest information and being able to explain how these conflicts are managed are in need of improvement.

Risks Risk Reduction

Conflict of Interest

(COI)

&

Conflict of Commitment

Submit: Calif. 700-U form (Conflict of Interest) for IRB research studies & service agreements with industry

Report: Outside Professional Time (APM-025)

Comply with Health Science department’s good standing” criteria – HS Compensation Plan (APM-670, Outside Professional Income)

Report: Time / Effort – research grants (Federal Regulation: OMB Circular A-21, J.10)

Adhere to UC’s policies and procedures for COI and health care vendor relationships

COI Risk Mitigation: Policy Requirements

UCSD COI Risk Mitigation: Focused Reviews

AMAS Review of Conflict of Commitment Policy (2007) Limited instances of non-compliance with policy Dean/departmental responsibilities for disclosures not clear Greater coordination and information exchange between COI and Academic

Personnel needed to monitor disclosures

AMAS Review of Health Sciences Research Conflict of Interest (2009) Disclosure form submission process was paper-based and complex Greater coordination and information exchange between COI, Human Subjects

and Contracts & Grants needed to monitor disclosures

AMAS Consultation on Disclosures for Non-Faculty Appointments Over 50% (2010) Employment contract clarifications needed

Current Systemwide Audit (in Process)

Presenter

Presentation Notes

Risk Mitigation activities at UCSD related to conflict of interest are varied and include focused reviews conducted by Audit & Management Advisory Services; oversight and monitoring controls involving Compliance as well as line management; and various planned system and operational improvements both at the campus and potentially at the system-wide level. Projects conducted by AMAS include (see bullet points above.)

Education Initiatives – Health Sciences Compliance Program

Purpose:• Prevent, detect, and correct violations• Support the health science mission – quality patient care, teaching and

research • Demonstrate a commitment to making ethical decisions in an organizational

culture that values compliance and promotes awareness of duty to report concerns without fear of retaliation.

COI education points: • Avoid participating in, influencing, or making a decision that benefits your

financial interest• Duty to disclose, recuse, divest, and/or seek advice

Flexible, scalable approach to education / training: • Use staff meetings, the learning management system, webinars, newsletters,

posters, web resources, email, policy and guidance documents

UCSD Risk Mitigation: Oversight and Monitoring

UCSD COI Risk Mitigation: Oversight and Monitoring

UC San Diego Health Sciences – Compliance Program • The Compliance Program ensures that Health Sciences faculty and other

workforce members adhere to the myriad of regulatory requirements associated with UC’s mission of teaching, research and patient care.

• Compliance Advisory Group:• Reviews all conflict of commitment disclosures (Category 1 and 2) and advises

the VC-Health Sciences. Category 1 requires approval from the Vice-Chancellor and Chancellor.

• Issued a revised APM-025 form, “Reporting of Outside Professional Activities”, with assistance from UC counsel (FY11).

UC San Diego Health Sciences – Vice Chancellor’s Office• The Vice Chancellor’s Office implemented the revised APM-025 form which

combines required disclosures for time and income associated with outside professional activities by SOM faculty members. This form incorporates some anticipated changes in federal disclosure levels.

Presenter

Presentation Notes

The next slide outlines various oversight and monitoring controls to reduce COI risk which have been implemented by the UCSD Health Sciences Compliance function. (follow bullets on next two slides). Notes: Category I activities are likely to raise issues of conflict of commitment and require prior written approval before the faculty member may engage in the activity. Examples of Category I activities include assuming an executive or managerial position in an outside entity, establishing a relationship as a salaried employee outside the University, or administering a grant outside the University. Category II activities are less likely to raise issues of conflict of commitment and are ordinarily allowed without prior approval. Examples of Category II activities include consulting, serving on a board of directors, providing a workshop for industry, and providing expert testimony. Category III activities ordinarily do not raise conflict of commitment concerns, are considered part of the faculty’s scholarly and creative work, and do not count toward the 39/48-day limits. Examples of Category III activities include serving on government committees, serving as editor of a professional journal, reviewing journal manuscripts or grant proposals, and developing scholarly works such as books, journal articles, movies, or television productions. The Health Sciences Compensation Plan (Academic Personnel Manual 670) addresses the various salary components for health sciences salary, salary negotiation, and outside income that may be directly retained. All income for patient care activities must be reported to the plan. Other professional income (both cash and non-cash such as stock and stock options) must be reported, in accordance with the faculty member’s health sciences appointment. This would include income earned while on paid leaves of absence and vacations, holidays, weekends etc. For Category I and II income, the faculty may directly retain the greater of $20K or 20% of base salary. Any additional income must pass through the compensation plan. For Category III income, income from unrelated activity (prizes, royalties, honoraria, stipends) may be retained by the faculty member without limit. Income for occasionally earned Category II income may also be directly retained. Effective August 2010, based on a UCOP initiative to combine reporting for APM Policy 025 and APM Policy 670 for health sciences faculty members, UCSD has adopted a new manual form which must be completed by health sciences faculty each year to demonstrate compliance with these policies. The new form requires that items of Category I and II compensation be reported at levels of <20K; 20 – 50k; and >50K. This form must be signed by both the faculty member and the Chair and is retained in the department, unless additional review is required for Category I compensated activities which require authorization by the appropriate dean of VC Health Sciences.

UCSD COI Risk Mitigation: Oversight and Monitoring

Health Sciences: • School of Medicine Dean’s Office established “good standing” criteria

which requires that departments have transparent implementing procedures for salary negotiation; and that faculty comply with the Health Sciences’ Code of Conduct and the annual reporting of outside professional activities in order to earn and directly retain income from such activities.

• The Compliance Program monitors faculty reports for compliance with APM025 policy.

• Office of Continuing Medical Education (OCME) requires speakers to disclose financial interests.

Presenter

Presentation Notes

It is very difficult to monitor COI in a highly decentralized environment. However, the UCSD SOM has designed a method to assure that departments and ultimately individual faculty members assume responsibility for disclosing potential conflicts of interest.

COI Risk Mitigation: System & Operational Improvements Planned

Development of a systemwide real-time on-line user-friendly system for disclosure of financial interests and tracking of research COI disclosures

Efforts are underway to develop campus-wide support for such a system. UCSD had dedicated a full time programmer to the Kuali-Coeus COI initiative, which is now gaining support from multiple campuses.

Expansion of the list of “designated officials” required to annually disclose financial interests to include Health Science department chairs, division chiefs and chief administrative officers.

Presenter

Presentation Notes

Ultimately, many of the risks associated with UC conflict interest required disclosures would best be mitigated by taking a campus-wide approach to developing a common system which will meet the needs of federal agencies, individual campuses, the institution, and individual UC employees. A system-wide webinar held in April 2010 led by UCSD Research Affairs indicated campus-wide interest in the potential expansion of a Kuali-Coeus Conflict of Interest module to address broader conflict of interest requirements in the University environment. It appears that few if any of the UC campuses have integrated state-of-the art conflict of interest disclosure systems. The Kuali-Coeus initiative, currently supported by a full-time UCSD programmer, would benefit from greater UCOP financial support and leadership to assure that a real-time on-line user-friendly system can be developed within a reasonable time frame. Ideally, the system would address research conflict of interest disclosure requirements, designated official disclosure requirements, conflict of commitment disclosure requirements, and health sciences compensation plan disclosure requirements, as well as other required disclosures governing conflict such as employee-vendor relationships. It would be available for access and update by those disclosing conflicts, and could be used by a myriad of offices required to deal with the disclosure or oversight of conflicts in their daily business routine such as: External Relations, Gift Processing; Sponsored Projects, Human Research Protections Program, Clinical Research Administration, Business Contracts, Academic Personnel, Conflict of Interest, and others. Most importantly, in a period of declining revenues, an effective user-friendly system-wide conflict of interest disclosure system would save time and resources for researchers, as well as provide the means for improved oversight, reporting, monitoring, consistency, and accountability of disclosures. The Kuali Foundation is a non-profit entity formed to develop and sustain administrative software that meets the needs of all Carnegie Class institutions. Members include colleges, universities, commercial firms, and interested organizations that share a common vision of open, modular and distributed systems for their software requirements. The Kuali-Coeus is a cradle-to-grave research system originally based on the Coeus system developed by MIT to track proposal and budget development, grant submission, awards, negotiations, report tracking, subcontacting, and research compliance (IRB, IACUC, and COI.) The COEUS Consortium was formed in July 2005 and consists of 50 institutions. Those participating assist in design specification, programming, testing, and quality control, etc.

Conclusion

Laws and regulations that govern conflict of interest, health care and research conduct are complicated, and penalties for not following these regulations are severe.

Audit and Compliance Program staff provide oversight, auditing and monitoring resources for managing areas of risk.

university of california, san diego university of...

Documents