There is a famous 18th-century painting by Girodet of a mythical encounter between Hippocrates and an ambassador for the Persian king Xerxes that depicts the physician spurning Xerxes’ attempt to buy his services, because Hippocrates knows the ruler is going to start a bloody war against Greece. Hippocrates’ loyalty prevails.
Ed Longazel put the image on the cover of the budget folder he prepared for Drexel when he came to work for the College of Medicine early in his tenure.
He likes the artwork because it represents honesty, and Longazel has spent his 21-year career safeguarding the integrity of large institutions — most recently as head of compliance for the College of Medicine, and previously as a compliance consultant for KPMG from 1997 to 1999, and for five years before that as director of compliance and physician reimbursement for the University of Pennsylvania Health System.
A framed print of the painting now hangs in Longazel’s office, which recently acquired a new name — the Office of Corporate Compliance and Privacy — and new responsibilities. President John Fry has elevated Longazel’s position to the cabinet level and named him a vice president and chief compliance and privacy officer. His office is in charge of overseeing compliance and privacy not only for the College of Medicine, but for the entire University.
In a sit-down with Drexel Quarterly, Longazel explained why President Fry is putting more firepower behind the University’s compliance program, and what faculty and staff should do when they encounter questionable situations.
Q: Why is it important for Drexel to have a University-wide office of compliance and privacy?
A: It’s important because if something happens — if someone is negligent or criminal and Drexel faces penalties — judges look more kindly on institutions that have an effective compliance program in place.
The judge will see that the institution did everything it could — it hired a compliance officer, conducted audits and monitoring, educated its workforce — and even if you weren’t able to prevent an employee from perpetrating a fraud, the institution can get up to a 90-percent reduction in penalties.
For example, one risk that goes to the core of compliance programs and healthcare institutions is billing. If improper billing is found to be fraudulent, damages are trebled. So when you read in the newspaper that a health care institution has had to pay a fine of $60 million, it isn’t that they overbilled $60 million. That’s the multiplier of three on what they did.
That’s why a compliance program is more or less an insurance policy. It protects you, it educates, it monitors and audits, and it corrects problems when they arise.
Universities also handle a lot of personal information, and privacy is half of this office’s function. We’re responsible for protecting health information of patients and research subjects and propriety information that could be important to the University, as well as data of employees, staff, faculty and students.
Q: Why create this office now?
A: When the College of Medicine became fully merged with Drexel this year, it brought with it new compliance issues for the University overall. Certain legal requirements and risks come with having a medical school and treating patients and handling private information.
The College of Medicine’s stationery used to have a disclaimer at the bottom: “A nonprofit subsidiary of Drexel. Drexel University does not provide health care.” That was on every piece of college stationery for 14 years, but that’s not true anymore. Now, Drexel assumes the risks.
Things are also changing in the country as a whole. People are really paying attention to the combination of regulatory risk in general and the new privacy risks raised by cyber threats, especially. In the past two or three years, universities everywhere have added compliance programs at the university level, instead of just maintaining them in their health sciences areas. Right now, Northwestern, Southern New Hampshire University and Rice University are looking for compliance officers or directors, to name a few.
Q: How would you rate our compliance program?
A: It’s good — I mean we’ve been running it successfully for a long time already at the College of Medicine, which is a large, complex organization with 1,500 employees, 260 physicians and close to 1,000 medical students. We just have to scale up the seven key parts of a good compliance program — internal monitoring and audits, implementing compliance standards, designating a compliance officer, training and education, procedures for responding to and correcting problems, a hotline and well-publicized policies.
As part of my office’s new scope, my team has had to pull in the College of Nursing and Health Professions (CNHP), and any clinical services. CNHP opened up 14,000 square feet of clinical space for their new wellness program, and they’re seeing patients there. They may not be taking money yet, but I’m sure they’re going to be. So, that opens a whole new area of risk, which is why I’m elevating my folks to the University level, so that they can go in and review and audit there.
Q: What’s the difference between compliance and ethics?
A: Compliance is related to auditing, monitoring and educating on regulations and standards. Compliance is making sure that we abide by socially accepted rules, regulations and laws that govern the activities we’re involved in and our own policies. Ethics are personal; it’s about doing the right thing, above and beyond.
Many of the policies that are under my oversight deal with ethics: conflicts of interest, business relationships with industry, our gift policy. We can set the University policies and procedures about what our expectations are, but when you get down to it, it’s a question of whether or not the behavior is morally acceptable, personally acceptable.
The policies help to steer people in the right direction, but they’re still judgments. So we have to adjudicate. That’s why the acceptance of gifts policy has a waiver process. A team of three people selected from across the University decide if something is right or wrong. People will call up and say, “I’ve been offered X, Y and Z gift or have been offered a ticket,” and we’ll decide if the behavior falls outside the policy and should be waived.
Our office mantra is, “We never guess, we ask.”
Q: Since you’ve been elevated to this office, what steps are you taking to improve oversight to manage all this, and make sure that your message is getting out?
A: I’ve started by creating a new position in my office for an executive director of compliance and privacy services. This person will be responsible for growing the program at Drexel, providing education, monitoring our compliance hotline and investigating problems.
We’re also developing educational and training opportunities, including mandatory compliance training for the University. In the meantime, my staff will come to a department and provide tailored training and education. Departments interested in this can call me at 215.255.7819.
My office has also begun putting out quarterly updates to inform University personnel about changes to compliance and privacy policies, and to continue to educate them about what constitutes a potential violation, as well as how to report a problem if they sense something is happening that would jeopardize the University or its reputation.
Q: What should employees do if they become aware of a problem in their department?
A: The first contact should be your supervisor, who can assist in determining the appropriate place to report your problem. Immediate emergencies or criminal acts, including sexual assault, should be reported to law enforcement, either the Philadelphia Police Department or the Drexel Police. Routine workplace disputes or grievances should be addressed by the University department that has expertise in those matters, such as Human Resources, the Office of Equality and Diversity or the Office of Disability Resources.
But for questionable situations such as possible fraud, professional misconduct or misuse of funds or data, or in cases where the problem involves one’s supervisor, anyone can call my office directly (215.255.7819) or use the University’s anonymous “Reporting Allegations” hotline at 866.358.1010.
Q: Who handles the hotline and what happens when someone dials that number?
A: The Reporting Allegations hotline is operated by an independent third-party company called Navex-Global (formerly EthicsPoint). The company provides a 24-hour call center with operators trained to interview the caller and classify the nature of the complaint. Reports can be submitted anonymously by calling or filling out a form on the website.
Callers may choose to be anonymous, and if they do so, they’re assigned an access code for their use only, so they can check back for a response from my office and continue to correspond confidentially about the issue they’ve raised. I triage the report, and may ask for clarification or additional information. The issue is then investigated by either my office or another appropriate department or combination of departments such as internal audit, Human Resources, the provost or the Office of Equality and Diversity, depending on the expertise required for the issue.
Although the system is set up for confidentiality, obviously an investigation is always more effective and efficient when the identity of the reporter is known. And sometimes discussing the facts of a situation erode the case’s anonymity. But everyone should recognize that Drexel has a no-retaliation policy for callers who self-identity. Whistleblower law and University policy protect the caller — that no-retaliation feature is part of what is required in an effective compliance program.
Q: What are the possible outcomes if someone is found to have violated Drexel¹s compliance policies?
A: The most important outcome is the strengthening of policies and procedures to make sure the problem doesn’t happen again. Those found to have committed violations are subject to HR’s progressive discipline policy up to and including termination. Criminal activity is handled with the appropriate authorities. Unfortunately, terminations have occurred, and that will happen on the privacy side too.
Q: What’s that compliance hotline again?
A: It’s called the “Reporting Allegations” hotline and the number is 866.358.1010.
This article first appeared in the Winter 2015 edition of Drexel Quarterly.