GZ: After earning your JD, you worked as an attorney for the Social Security Administration (SSA) Office of Hearings and Appeals for four years before becoming a compliance professional with a hospital. At what point along the way did compliance as a career path become something of interest?
KZ: The U.S. Department of Health and Human Services Office of Inspector General’s (OIG) original hospital compliance guidance document for hospitals came out during my last year with the SSA Office of Hearings and Appeals. It was at that point that I told my dad that I wanted to switch career paths.
GZ: What was it about compliance, and healthcare compliance in particular, that attracted you to it?
KZ: Without a doubt, two things attracted me to compliance, and in particular, healthcare compliance. The first thing that drew me towards compliance was my undergraduate degree at the University of Oklahoma. The degree is called a letters degree, which is like a classics degree on steroids. The degree focuses on philosophy, languages, and history. The idea that I could help organizations create an ethical culture or that I could help create processes that would make it easier for individuals to do the right thing was intoxicating to me.
The thing that drew me towards healthcare compliance was the mission. Coming out of law school, I wanted to “wear the white hat,” work for the federal government, and help taxpayers. Working for the SSA Office of Hearings and Appeals, I felt like I was helping people in need. When I went to work for a safety net health system at the beginning of compliance programs, the mission was palpable. I could see the patients and their families. I could see how I could recognize risk, mitigate it, and help the system serve its mission better. I fell in love with the idea that I could essentially deputize every employee I interacted with, how they could influence the employees they interacted with, and how we could empower employees to do good.
GZ: You’ve been in compliance advisory roles for the last 20 years. What have been the most significant changes in the challenges faced by healthcare compliance professionals over this time?
KZ: That’s a complex question that depends on lots of variables. In general, I would say the sophistication of government and commercial payer data analytics systems are a challenge to the compliance industry. Physicians, leadership, operational employees, and compliance professionals are often unaware of the extent to which individuals have transparency into coding and billing issues, especially federal payers and enforcement. Additionally, the Centers for Medicare & Medicaid Service’s Open Payments data provides transparency regarding physician behavior. The above, combined with the U.S. Department of Justice’s (DOJ) desire to hold individuals accountable, poses a challenge to healthcare providers. However, I believe one of the biggest challenges to compliance professionals across the country is to what extent compliance officers are positioned appropriately within their organizations. And this issue of correct placement and correct reporting structure can be extremely complex.
Often, leadership is unaware of appropriate reporting structures. This can be a bit of a “catch-22” scenario because if compliance officers aren’t at the right level, they might not be in a position to educate leadership regarding appropriate reporting structures. And compliance officers might not be capable of delivering the message that they should be at a certain level and that they should be a “strategic adviser to leadership.” This is where I tell compliance officers to rely heavily on industry guidance documents like DOJ’s compliance document and OIG’s multiple compliance guidance documents (including its most recent compliance document). Throughout my career, I’ve interviewed many CEOs. When I let them know that the government would expect to see certain things regarding reporting structures or the position of the compliance officer within their organization, and when I let them know that OIG and DOJ attorneys would ask certain questions based on the previously mentioned documents during depositions, they usually make changes to improve the position of the compliance officer.
However, to what extent leadership wants “a” compliance program versus an “effective” compliance program or “the best compliance program” may also be a challenge to the industry. What I mean here is leadership might not want the compliance officer to “rock the boat.” They might want the compliance officer to stay in their “sandbox” and not “bother” operations. This is where I tell compliance officers that it’s important to have a standing executive session with their board compliance committee, assuming the compliance officer reports or has access to the board compliance committee. Additionally, compliance departments can perform self-assessments of the compliance program, or hire a third party to assess the compliance program and compliance activities across the organization, both of which might provide the momentum to cause leadership to appropriately place the compliance officer within the organization.
And one final risk that I see across the compliance industry is a concept called the curse of knowledge, which is a cognitive bias that occurs when someone assumes that others have information that is only available to the person doing the communicating, and that person assumes the people to whom they are communicating have the same or similar backgrounds and understanding. I see this across the industry when compliance officers assume board members and leadership have similar backgrounds and understanding of compliance issues, rules, and regulations. And I see it especially when CEOs assume employees have similar backgrounds and understanding of the CEO’s view of the organization’s culture. It is imperative that compliance officers and compliance departments communicate effectively and gird against the negative impacts of the curse of knowledge.
GZ: You’re one of the instructors for HCCA’s virtual Compliance Essentials Workshop and a frequent speaker at HCCA and other conferences. For someone just starting their compliance career, what advice would you give this individual when they say, “I want to do that, but I’m afraid I’d bomb at it”?
KZ: Compliance professionals can get involved in the industry by doing the following things:
-
Performing training and presentations within their organizations. When I worked at the safety-net hospital, I performed the employees’ compliance onboarding training, and I conducted compliance program training for the residents of the academic medical system that was affiliated with my health system.
-
Reaching out to other compliance professionals in their regions and meeting regularly. When I started in compliance around 24 years ago, several other compliance colleagues and I created a local compliance group. We would conduct presentations on topics of interest and bring in government folks to speak about compliance issues. This allowed us to practice our presentation skills in front of a smaller audience.
-
Finding out areas that compliance professionals are passionate about. Throughout my compliance career, I’ve been passionate about using compliance programs to create an ethical culture and providing processes to help individuals make ethical decisions. When I first started speaking at conferences, I spoke about things I was passionate about. Compliance professionals new to the industry may want to write or speak about issues they are passionate about.
-
Being the tip of the spear. I think it’s important for compliance professionals to look over the horizon and share with the industry when they encounter new trends in their organization or think the industry needs to move in a certain direction.
Regardless of how they choose to get involved, it is extremely important that compliance professionals become accustomed to stepping outside of their comfort zones. I often say that I’m an introvert who was forced to be an extrovert by becoming a compliance professional. When I first started in compliance, I didn’t have an understanding of many operational areas. I stepped out of my comfort zone to build relationships with the leaders of those operational areas and asked them to help me learn their areas.
GZ: In 2022, you wrote an excellent piece for your firm, Hall Render, and for a vendor, YouCompli, on the importance of culturally impactful metrics. This is something that compliance professionals struggle with. What are the key steps to identifying relevant metrics that are relevant for an organization?
KZ: As I said in those articles, I think effective compliance programs require collaborating with departments organization-wide. But collaboration isn’t possible if compliance officers aren’t at the right table and if they’re not visible.
Culturally impactful metrics help measure to what extent compliance officers are visible, to what extent they are at the right tables, and to what extent the compliance officer understands the business of the organization and how it generates revenue.
Examples of culturally impactful metrics include the number of:
-
Compliance roadshow sessions completed
-
Meetings between the compliance officer and board members and between the compliance officer and CEO
-
Surveys conducted to assess employees’ knowledge of compliance issues
-
Walk-throughs conducted by the compliance officer or compliance staff
-
Individual calls or questions sent to members of the compliance department
-
Operational meetings/huddles attended by the compliance officer or compliance staff
-
Operational compliance plan documents in existence
-
Speaking engagements the compliance team participates in or articles they write
-
Risk-specific department trainings, such as a Stark Law/Anti-Kickback Statute session for medical directors, False Claims Act sessions for coding/billing personnel, Emergency Medical Treatment and Labor Act sessions for emergency department staff
-
Corporate Compliance & Ethics Week activities conducted
-
Clinical roundings attended by the compliance officer
-
Surveys conducted to assess the organization’s culture
A couple of other considerations for culturally impactful metrics are conducting—or budgeting for—an independent compliance program assessment and to what extent the organization has an operational compliance committee.
GZ: This leads me to another area I know you are passionate about: the importance of building relationships. Being successful as a compliance professional depends on a lot of factors. Where would you rank relationship-building as an important skill and why?
KZ: I think compliance professionals’ abilities and commitment to building relationships throughout their organizations are one of the most important factors—if not in the most important in compliance professionals’ success. Often, compliance officers don’t have the authority to tell employees to do X, Y, or Z. The best compliance officers I’ve assessed could be their organizations’ interim chief operating officer (COO), if needed, or would be successful sales professionals if necessary. They understand the business of their organizations and how their organizations generate revenue. And they realize they are selling concepts and ideas, such as convincing employees to do the right thing or asking people to chip in to help create an ethical culture.
Learning the business of an organization and selling concepts and ideas requires compliance professionals to get out from behind their computers and interact with employees. To embed the seven elements into operational areas, compliance professionals need to have relationships with departmental leadership and employees to raise awareness regarding compliance responsibilities, to more effectively assess compliance risks in those operational areas, and mitigate those risks. And the most effective way that I’ve seen to embed the seven elements into operational areas is by using the Institute of Internal Auditors’ Three Lines Model. The use of this model provides compliance professionals with an approach to interact with operational employees and help them identify and mitigate compliance risks at the operational level.
GZ: Continuing this one step further, if a compliance professional recognizes that relationship-building is an area they want to improve, where should they start? What are some key steps someone could take to improve in this area?
KZ: About five years ago, I performed a compliance program at a small health system. When I asked leadership and operational employees about their perceptions of the compliance officer, the overwhelming response was that the compliance officer was visible and involved in operations.
When I asked the compliance officer how he managed to be so visible and involved in operations, he told me that he had created a system to track the amount of time he spent interacting with employees. He tracked the amount of time he spent conducting training, how often he participated in meetings with operational teams, and how often he was in front of groups of employees.
Keeping track of how often the compliance officer/staff interacts with operational employees is a start. One of the simplest things compliance officers can do to be more visible and begin to reach out to employees has to do with one of my biggest pet peeves: not being able to find the compliance officer on the organization’s webpage. Most organizations have a “leadership” page on their websites. And very often—despite leadership saying they support the compliance officer—the compliance officer is not listed on the organization’s leadership page. Employees tend to pick up on things like this.
My advice to compliance officers/compliance staff is don’t wait to be asked to join a committee or a meeting. Don’t wait to be asked to learn about an operational area. Invite yourself to join committees; shadow operational leaders for a day or several days; sit down with your COO or chief financial officer and ask them to explain how the organization runs and the challenges of their jobs. If you’re virtual, attend operational Zoom/Team meetings. If you’re on-site, walk the halls.
GZ: I love a good metaphor, and in a recent conversation you and I had, you mentioned that the compliance professional shouldn’t be the Eeyore of the organization. What do you mean by that?
KZ: Over the last 20 years or so, leaders have asked me for advice regarding hiring their next compliance officer. My general answer to them is hire someone who is more Tigger, less Eeyore (from the Winnie the Pooh stories). Operational leaders have a crushing amount of responsibility on their shoulders. They are responsible for generating revenue, taking care of patients, running departments, etc. Over the years, I’ve witnessed compliance professionals who tend to be negative or lack energy when interacting with employees/leadership. This type of compliance professional often leads with the negative possibility, saying things like, “I don’t look good in orange . . . ” rather than saying, “How can I help improve operations?”
As I alluded to earlier during this interview, one of the things that drew me to the compliance industry is the philosophical aspect of creating an ethical culture, creating a culture that’s conducive to employees doing compliance activities, helping create processes that make it easier for employees to do what’s right, and often how employees perceive the compliance officer/compliance department matters. And if the compliance officer/compliance department is not aware of their perception throughout the organization, it might be difficult to build relationships and embed the seven elements into operational areas.
GZ: Similarly, when we talked about the role of the compliance officer in maintaining an effective compliance program, you said, “The dentist doesn’t brush your teeth for you.” What were you getting at with this?
KZ: First of all, it cracks me up that you remember that! In short, I mean that my dentist tells me what I’m supposed to do. She tells me what’s expected of me. She holds me accountable by meeting with me every six months when I have my regular cleanings. She doesn’t come to my house, put toothpaste on my toothbrush, and watch me brush my teeth. That’s my responsibility. That’s what I’m supposed to do. As a “good person,” I’m supposed to take steps that will benefit me. I’m supposed to brush my teeth and floss. It’s not my dentist’s job to brush my teeth; it’s my job to do it.
This is why I’m a huge proponent of operational compliance committees. These committees are usually made of director-/vice president-level employees who meet monthly or every two months. The typical functions of the operational compliance committee are:
-
Assist and advise the compliance officer with all aspects of the compliance program.
-
Develop, implement, and report on compliance efforts occurring in their respective departments.
-
Assist in monitoring the effectiveness of the overall compliance program.
-
Assist with compliance risk identification and risk mitigation.
-
Assess and advise on compliance policies and procedures.
-
Oversee and advise on compliance training.
-
Oversee compliance auditing and monitoring.
-
Assess and advise on reported compliance matters.
-
Oversee the status of corrective actions.
And, as my friend Rob Mendoza once said, the operational compliance committee serves as the organization’s conduit to accountability. It is the place where they can ask the committee members if they are brushing their teeth and flossing . . .
GZ: In 20 years of advising organizations, you’ve worked with a lot of compliance professionals and compliance programs, ranging from highly ineffective to very effective. What are some of the personal and professional traits shared by the compliance officers of the most effective programs you’ve seen?
KZ: To understand the most effective, I think it’s necessary to discuss the least effective. It’s important for compliance officers not to be complicit. By that, I mean they can’t accept the “wink, wink deal” with leadership to stay in their sandbox and not address the tough issues such as physician arrangements, coding and billing, HIPAA Privacy and Security rules, quality, etc. It’s important for compliance officers not to accept poor reporting structures. It’s important for compliance officers to step outside of their comfort zones and ask tough questions, to be the “adults in the room,” and be professionally skeptical.
The best compliance officers I’ve seen know the business of their organizations. They empower operational leaders to build mini-compliance programs in their operational departments. They embrace and use the three lines risk framework and operational compliance committees to make employees aware of their responsibilities and hold them accountable. They deputize everyone they come in contact with, like Tiggers bounding around their organizations. They step out of their comfort zones. They are constantly preaching and selling the mission and vision of the compliance department. They are visible and strive to be at the right tables across their organizations; as the U.S. Federal Sentencing Guidelines say, they constantly “promote an organizational culture that encourages ethical conduct.”
GZ: Thank you, Ken.