Kusserow on Compliance: Ensuring Hotline Effectiveness

By Richard Kusserow, former HHS Inspector General and CEO of Compliance Resource Center.  Reprinted from his Wolters Kluwer‘s Kusserow on Compliance Blog

Hotlines are a key element in any compliance program and have been called for by the U.S. Sentencing Commission, HHS Office of Inspector General (OIG), Sarbanes-Oxley Act, and HIPAA Privacy/Security Rules. Even the Supreme Court has made clear that hotlines are needed to raise an affirmative defense for unlawful harassment. The problem for many is trying to determine how and what an effective hotline function should look like. The following are some key elements of effective hotline operation:

  • Establishing the hotline. One of the most tangible components of your compliance program is the reporting channels that employees can use without fear of retaliation, such as an employee hotline. Fortunately, a hotline is easy to establish. Many firms will operate your hotline for a fee, providing a toll-free line, 24 hours a day, seven days a week, 365 days per year, as well as live operators and other bells and whistles, depending on the needs of the organization. You may also establish a hotline internally with relative ease. However, simply turning on a toll free telephone does not mean that you have an effective hotline.
  • Establish a mission and objectives for the hotline function. To ensure effectiveness of the hotline operation, you must start with clear objectives or mission for the hotline. To support this objective, organizations could establish a supporting policy and procedure documents, including those relating to ensuring anonymity and confidentiality.
  • Establish a basic plan of operation. A hotline operation extends beyond the telephone number; it includes an objective, operating protocol and procedures pertaining to call volume, security measures, investigation, follow-up, and resolution. Operating protocol and procedures are the details of how the hotline will be operated including the hours of operation, report preparation, response times, etc. This information may be included in the hotline policies; however, it would be more appropriate for an operations manual.
  • Develop and implement hotline related policies. A number of policy documents are needed to ensure the hotline will be able to function effectively. These documents will indicate a number of policies, including how the calls are answered, documented, and acted upon by those responsible for its operation. However, there are many other needed policies to ensure the efficient operation of the hotline. Some extend to the entire work force and include a focus on: (1) a duty to report, (2) anonymity/confidentiality, (3) non-retaliation/retribution, (4) relationship with legal counsel, human resource management, and financial management, (5) investigation and case management of hotline allegations/complaints, (6) reporting to external authorities, and (7) auditing and monitoring of the hotline. By implementing these policies in advance of receipt of serious allegations, providers can help ensure an effective outcome.
  • Assess follow-up on call reports. Often overlooked with internal hotline reviews is an assessment of the steps following receipt of a call. If the primary objective of a hotline is to receive and resolve allegations of misconduct or other problems, then the Compliance Officer should carefully review this secondary process. Furthermore, it is our experience that the OIG looks very closely at the activities following receipt of a hotline call. Specifically, reviewers want to see tangible changes as the result of hotline calls such as disciplinary action or enactment of new policies or procedures. Thus, a key to effectiveness includes an assessment of whether the staff who investigate complaints and allegation have been properly trained.
  • Ongoing auditing and monitoring requirements. The OIG calls for …


    ‹ Return to the Main Publications Page
    ‹ Return to the CRC Homepage