10 steps to a corporate compliance hotline
By G. Michael Barton, SPHR
Vice President of Human Resources
Regional Medical Center, Madisonville, KY
An effective corporate compliance program must provide an avenue for employees to report concerns and perceived violations of the organization’s standards of conduct, inconsistent administration of policies and procedures, and any legal or regulatory infractions. The employee hotline provides an objective and confidential means for reporting their concerns.
The hotline also provides an efficient monitor for detecting violations of the corporate compliance program. It instills confidence because employees are allowed to share their concerns in a convenient, comfortable, and generally anonymous format. Before installing a hotline, an organization should answer these questions:
• Who is responsible for managing the hotline?
• How will callers be protected from retaliation?
• How much training will be needed to ensure the employee can effectively use it?
To answer those questions, an organization must carefully design a system that addresses simply how the hotline will be administered and communicated. That can be accomplished in 10 steps:
Step 1: Establish responsibility. The corporate compliance officer should have the responsibility for maintaining the operations and integrity of the hotline. It is important that someone in the organization assume this responsibility if the organization does not have a corporate compliance officer. This individual must be seen by employees as objective, trustworthy, and responsive. Here are some duties of the hotline coordinator:
• ensuring that the hotline functions accurately and appropriately;
• coordinating investigations of reported violations and infractions;
• providing feedback to callers as requested;
• reporting hotline activity to the governing board on a regular basis (usually quarterly);
• coordinating record retention and documentation of reported concerns.
Step 2: Determine the servicing source. The hotline’s usefulness may depend on the people calling, but its integrity is dependent on the individual at the other end of the telephone line. It is absolutely essential that the organization select an outside source to serve the hotline. Some organizations have used the human resources department, risk management department, and even individuals from administration to answer calls. Unless an outside firm is used, the organization will face an uphill battle convincing callers it is an objective and anonymous source. The outside source should be off-site and easy for the employee to access. Employees can be provided with a toll-free telephone number from which to access the hotline.
The outside servicing agent summarizes callers’ concerns and communicates them to the corporate compliance officer or other designated individual. Callers then can access the hotline again to determine resolution, or answers to general concerns can be distributed through memoranda or the organization’s newsletter. In some extreme cases, the caller may be referred to the organization’s attorney, medical director, risk manager, human resources director, or chief executive officer.
The servicing source should be identified as your particular organization’s hotline, not a general resource. The line should be answered with something like, "You have reached XYZ Medical Center’s corporate compliance hotline. How may I help you?" If the hotline is busy or not operational for some reason, the recording should explain that it is necessary to speak with the caller directly: "You have reached XYZ Medical Center’s corporate compliance hotline. We do not accept recorded messages because it may be necessary to ask questions of you, and we do not want you to leave your name. Your input is important to us. Please call back when an operator is available. Thank you for your call."
The servicing source must be patient but objective with callers. It is inappropriate for the source to agree with callers or attempt to resolve concerns before communicating it to the organization. The source, like the corporate compliance officer, must be objective, trustworthy, and responsive. This can be accomplished if the source and the organization work closely to respond resolve hotline concerns.
Step 3: Identify the hours of operation. This step may sound simple, but it should be given careful consideration. Does the organization want a 24-hour hotline? This may sound ideal, but in reality it is expensive and impractical. Most hotlines are maintained Monday through Friday from 8 a.m. to 6 p.m. or 7 p.m. These hours allow employees on all three shifts to access the hotline and ensure a servicing agent will be available to take calls. Users should be informed of the hours of operation through memoranda and a recording when calling the hotline.
Step 4: Implement mechanisms to ensure confidentiality. It is imperative that the servicing agent inform callers of their right to anonymity. Hotline users should not be required to disclose their identity. If a caller chooses to do so, this disclosure still should be protected as much as the law and company policy will allow. These mechanisms can help ensure confidentiality:
• An established code of conduct. The code should outline the employee’s right to privacy.
• A non-retaliation/non-retribution policy. This policy is discussed further in Step 8.
• Hotline protocols. The protocols should outline in detail what the caller will be asked to disclose. Usually, the caller should be asked about the general nature of the call, a summary of the concern or violation, why the caller is concerned, how long the problem has been going on, and what action the caller would like to be taken.
• A report team within the organization. Determine who will be allowed to see the caller’s complaint. The most efficient method is to identify a team of individuals who are charged with reviewing certain types of complaints. This team generally consists of the corporate compliance officer, human resources executive, risk manager, corporate legal counsel, and the internal auditor or other person designated to handle billing and financial concerns. The team will call on the appropriate clinicians as necessary to help evaluate any complaints concerning clinical issues.
Step 5: Develop reporting mechanisms. You must determine from the outset how often hotline activity will be tracked and reported. The reports are the responsibility of the corporate compliance or other designated individual. The report should be a compilation of the type of hotline calls received. Here are suggestions for how the reports should be made: a quarterly report to the board; a summary report to the chief executive officer at least monthly, including a review of hotline usage and types of concerns; a quarterly report to employees that re-emphasizes the hotline as a valuable source of reporting concerns; a quarterly summary to managers that details types of concerns and usage; a quarterly review with medical staff outlining practice and physician concerns.
Step 6: Establish guidelines for record retention. "The Hotline Report" should be the official record of the hotline calls. The report generally contains the nature of the concern and any material facts provided by the caller. The corporate compliance officer or designee is responsible for ensuring retention and security of the report. Generally, most concerns such as policy interpre-tation, scheduling problems, or venting can be destroyed after three months if resolved. Complaints needing more investigation or legal review should be retained until completely resolved. Complaints of sexual harassment or malpractice may need to be kept longer, especially if the investigation is ongoing. The organization’s legal counsel should be involved in determining the length of retention in such cases.
Step 7: Develop methods for investigating and resolving complaints. The report team members discussed in Step 4 should be the key individuals in investigating and resolving complaints. The corporate compliance officer or designees will initiate any investigation by referring the complaint to the appropriate member of the report team. This individual will investigate and attempt to resolve the complaint to the caller’s satisfaction. In some cases, that means establishing communication with the caller. If the caller wishes to remain anonymous, the report team member will inform the corporate compliance officer of the investigation results and any recommended actions.
The corporate compliance officer or servicing agent then will report to the caller, or the results may be summarized and reported through a memorandum or the employee newsletter. In certain situations, changes in policies, procedures, or processes will be reported in a general summary to all employees. That protects the identity of the caller but offers a solution that can be communicated universally. For instance, a complaint that smokers are taking extra break time can be addressed by re-emphasizing the organization’s break policy.
Step 8: Implement a non-retaliation/non-retribution policy. A policy that prohibits retaliation if an employee reports a violation is critical to the success of the corporate compliance program and the utilization of the hotline. (See sample, p. 37.) This policy should be distributed widely to employees through handbooks, memos, bulletin boards, and discussions in employee meetings.
Identify, train hotline users
Step 9: Identify hotline users. The organization must determine the users of the hotline. Generally, the users include employees, physicians, executive staff, board of directors, and contracted employees. In some organizations, users also include volunteers, vendors, and outside providers of services such as home health. Other individuals who may have access include former employees, employees’ family members, and the community in general. This last group may have access simply because the telephone number to the hotline is widely distributed. It is the organization’s responsibility to inform the servicing agent of who has access to the hotline.
Step 10: Train the hotline users. The most important step is to train employees and other authorized users on how to use the hotline properly. The organization should provide detailed, ongoing, mandatory training to all employees and to all new employees during orientation. Training should include how to access the hotline, the types of concerns addressed, discussion of confidentiality, review of the non-retaliation/retribution policy, what callers can expect from the service provider, hotline hours, and how complaints are investigated and resolved.
Complaints generally fall into these categories: criminal activity (illegal and fraudulent activities); conflict of interest; policy violations; safety/health risks being asked to perform unsafe or risky tasks; human resources concerns sexual harassment, bad management, scheduling programs, discrimination, and disagreement with performance evaluations; conducting personal business on company time; staffing concerns not enough staff to provide safe or adequate care; conduct code violations; and significant waste of funds, supplies, or general money mismanagement.
Some callers may only want clarification of a policy. Others may need to vent about a co-worker or harsh manager. The most serious calls are those in which an alleged criminal activity or major violation has occurred. Those calls will take more involvement from the corporate compliance officer and report team to resolve.
The hotline quickly can become yesterday’s news unless the organization clearly commits to making it a vital resource to employees. This can be accomplished by keeping employees informed about how to use and access it. The organization will need to provide annual training, and the hotline may need to be changed over the course of time to meet the changing needs of the employees.
The organization should survey employees and users at least annually to determine the effectiveness of the hotline. Keep in mind why it was installed in the first place: to provide employees an effective way to report their concerns and to show them their input is valuable. It is the ultimate means to allow employees the opportunity for open and confidential expression, and it is the ultimate tool for making organizational change.