Improving compliance by focusing on 7 factors

Identify risk, assess resources

Research institutions might begin any new or improved compliance program by following the seven elements of an effective compliance program that are part of the Office of Inspector General (OIG) compliance guidance for hospitals, an expert advises.

These elements were recommended and optional for hospitals, but under the 2010 Patient Protection and Affordable Care Act these elements are now required to be part of a hospital's compliance program, says Barry Rosen, JD, ARM, CHC, CHRC, manager, regulatory compliance, Children's Medical Center in Dallas, TX.

The seven elements are comprehensive and provide a good framework for beginning or improving a research compliance program, as well.

"There's an unstated eighth element which is that you need to do a risk assessment to determine what you're going to focus your compliance program on to make it effective," Rosen says.

In addition to the OIG's seven elements, research organizations can improve compliance through successful strategies employed by hospitals and other research institutions.

Rosen offers these suggestions for ways to improve research and health institution compliance programs:

Identify compliance work plan project risk level: "We have a three-tiered rating system from high to medium to low that we use when looking at each project," Rosen says. "We also have a quantitative system from one to five."

Organizational risk areas for hospitals include regulatory, legal, and financial.

Each project is assigned numbers relating to the risk on a scale that ranges from 14-20 for high risk, seven-to-13 for medium risk, and less than seven for low risk.

"The highest rating is assigned to projects with the highest organizational risk, such as those with potential substantial Medicare and Medicaid billing problems and inappropriate physician compensation agreements," Rosen says. "Those are just examples of things that might be put in a high risk category."

From the organizational risk perspective, medium risk might involve a business expense gift log program or bad debt. Low risk could be an internal website that employees use for information. Keeping such websites up-to-date or making technological conversions could also create some additional risk to them, he adds.

For some institutions including children's hospitals, research compliance might not need the full range of classifications, however.

"I don't have anything research-compliance related that is less than a high risk project," Rosen notes. "Children are in a high risk category under federal laws and regulations, and they receive heightened protection under clinical trials, so you have to be extremely careful at all times."

Assess resources in correcting problems: Compliance leadership can review resources and come up with lists, reviewing and ranking projects, and then incorporate the projects into a work plan for the department.

The idea is to hold the compliance department itself to high standards and to be transparent when communicating its own use of resources and productivity, Rosen says.

"This enables us to report to our board and through the appropriate leadership chain at the hospital what is going on and also to provide insight into emerging trends," he explains. "Sometimes we will do a project, and we don't have any findings, so that's important to report too—not just reporting what's wrong, but reporting what's right."

The goal for a compliance department is to get voluntary cooperation from staff and researchers.

"It's much better to get people compliant because they want to do it than because they're told they have to do it," Rosen says. "Your stock-in-trade is to get people's voluntary cooperation with you and to achieve an effective compliance culture at the organization."

Review clinical trials: At the Children's Medical Center, the compliance office reviews select clinical trials.

"Very few of our studies have more than 14 enrolled subjects, and we check 100% of all subjects," Rosen says. "We have some studies with 40 to 50 active enrolled subjects, and we did check every single subject—but not necessarily every study visit."

Compliance officers look at everything that is billed, dates of service for the study-related activities, subject recruitment, monitoring, drug device dispensing accountability, a data safety monitoring board (DSMB) if applicable, research records, serious adverse events, informed consent forms, and other research site activities. They also review IRB activities, materials, protocols, and contracts, and other facets of the IRB.

"We have a responsibility to know that our IRB, which sits at the medical school, is doing what it needs to do because these subjects are our patients, and we're responsible for what happens," Rosen explains.

To make the review process consistent and thorough, compliance officers use a 14-page research compliance checklist that has been developed and updated over the past few years.

An in-depth clinical trial might take Rosen or the senior research compliance specialist 180 hours to complete. Other reviews might take 140 hours, Rosen says.

Analyze findings: Rosen examines review findings to determine their severity and whether there are noncompliance trends.

"Is it systematic and caused by system error?" he says. "We look at what things are and divide them into what it would take to correct them and prevent future problems."

Compliance officers are most concerned about high severity mistakes that happen with great frequency due to system errors, Rosen says.

Follow-up actions vary. For instance, the compliance office might ask the research administration department to ask a principle investigator or research coordinator to sign a statement that everything is done correctly, he explains.

"There needs to be accountability, and by having a statement signed, it holds people accountable," he adds. "Sometimes we'll put on a work plan project for the following year to look at the issue again."