Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Q&A With Kaiser Permanente's Compliance Officer

Matt Kelly | October 19, 2004

This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.

We’ve never interviewed the compliance officer of a nonprofit before. What do you oversee?

Well, Kaiser is a complicated institution. It’s really a partnership
between the medical groups—there are eight of them, which are for-profit groups, in the various states where we do business—and the nonprofit side, which is Kaiser Foundation Hospitals and Healthplans. I am the chief compliance officer for the latter.

My responsibility is to ensure that all our businesses are in compliance with all applicable laws, regulations and accreditation standards. I’m also responsible for managing the ethics and integrity programs of the organization.

Sketch out the structure Kaiser uses for compliance, given its complexity. How many people are involved?

First, the idea is not that the national compliance organization, which I head, would be responsible for all the compliance functions—hell, we’d have hundreds of employees. Rather, our job is to provide direction, validation, performance standards. Basically we hold the units and the people responsible for the compliance function accountable.

We have a network I’d characterize as a tricycle. I have about 53
full-time equivalents in my office, who are responsible for specific
subject areas. I have a health care delivery and professional services compliance group, which concentrates on clinical issues; I’ve got a federal programs group, since we have nearly 900,000 Medicare members; I have an audit-and-investigations unit of more than 10 people. So we have a lot of employees there at the national compliance organization.

We also have a lot of regional compliance officers. One of the things I've changed, at the express mandate of the board, was to create permanent, identifiable compliance resources in the regions. When I first started in 2002, there were only a few compliance officers in the regions and most had other functions. That's no longer the case. They are full-time officers in each jurisdiction and we helped them get a staff. There are about 65 to 70 of those folks ...

The third wheel of the tricycle is the compliance function within the national organization leadership, such as the HR department. I've asked each of the team leaders at the national level to identify their own compliance officers, who have a dual reporting relationship to the operations folks and to me as well.

You sit on Kaiser's board, too. What is that relationship like?

My position is probably unique. I was an outside director and head of the finance committee when the board asked whether I would accept the job of chief compliance officer—the idea being, I'd remain on the board of directors while assuming the new responsibility. The real purpose the board had was to send a message to the organization that compliance was a priority. By designating one of their own to lead the function, it was a signal to the leadership of how important that principle was.

But many compliance officers present to the audit committee, or the CFO, or some similar action. What do you do?

I report to the CEO for administrative purposes, and to the audit-and-compliance committee of the board. I sit on other committees, but I'm a reporting entity to the audit committee. I give reports at almost every board meeting; we have six a year.

Were you the first compliance officer at Kaiser?

Someone did precede me, at the vice president level. I'm at the senior vice president level, which is as high as you can go without being CEO.

Was that choice to elevate the job driven by Enron and other debacles of the time?

No, interestingly enough. The board actually began an inquiry and hired an outside consultant in 2001 before Enron really started in earnest. It was really an outgrowth of a study we'd started a few years earlier ... ultimately it was simply the board's reaction to federal expectations, given the regulation of the healthcare industry and expectations of a compliance program. Since we’re a primary Medicare entity, for example, there are all sorts of very specific compliance expectations. The board wanted to make sure we do it correctly.

You came from a series of high-profile civic jobs in Los Angeles before Kaiser. Was the transition difficult?

Yes and no. It’s somewhat comical; most people have a hard time
understanding my career, including me. From 1974 to 1991 I was a lawyer ... and for a decade, I was a primary outside counsel for BlueCross of California. I handled hundreds of cases as lead outside litigator for BlueCross entities, and that decade of healthcare litigation experience turned out to be invaluable. I’d also been on the board of directors for 10 or 11 years before being asked to assume this job, so that’s exposure to healthcare issues of one kind or another for 20 years … I’ve had a broad and diverse career, but it is somewhat hidden if you look at my resume.

At a public company, though, a lot of your job would be accounting minutiae. Did you endure a learning curve on that front, or does Kaiser face different strictures as a nonprofit?

You’re right, the accounting part is different. We don’t have shareholders; we don’t have SEC regulations. But we have some accounting requirements. The truth is we have a strong finance function, and a strong internal audit function with whom the compliance function coordinates a lot. I do have a few accountants on my auditing staff with financial backgrounds, so we’re not devoid there. I’d say in general the accounting requirements are less burdensome in many respects than a
publicly held corporation, and responsibility for their veracity is spread among three or four of us.

Kaiser is trying to meet Sarbanes-Oxley standards. How do you do that, when much of the law doesn't apply to you?

The board chose to comply with Sarbanes-Oxley voluntarily more than a year ago, and we're implementing that now. It is somewhat difficult, because there is an "interpretive" series of questions necessary since many of the requirements apply to public companies, which we are not ...

For example, we're undertaking a pretty exhaustive process right now where finance and internal audit are in the lead on identifying control issues under Section 404. I participate some, but it's primarily in their ballpark. There are other functions that are more my responsibility, but in general I'd say we are not in the lead, we're a participant.

Section 404 is a good example. Public companies face a compliance deadline in two months. Are you striving to meet that deadline too, or has Kaiser set its own goal?

We're trying to meet it as closely as we can, given the reality of our complexity and the fact that we aren't like everybody else. That we are not a for-profit has slowed it down a bit, but I'd say we're moving as rapidly as possible. Because we do have a little flexibility, our attitude is to get right rather than to get something done so we can claim that we've complied with the law.

Establishing new committee charters, writing a code of conduct ... were any actions like that taken?

We did several things. We call our code of conduct our Principles of Responsibility ... Among other changes, and I was responsible for this, we went through a long process this last year of revising our Principles. Also the board changed the structure of its committee. It was simply the audit committee before, and the audit function expanded to coincide with the Sarbanes requirements, and we decided to include compliance as a dedicated reporting entity to the audit-and-compliance committee. So the charter's scope was changed extensively as a result of Sarbanes-Oxley.

When you revised your code of conduct, how did you solicit input?

The first one we did several years ago, in a process where dozens of people were pulled together in a rather arduous process ... I started by hiring an outside consultant who did a significant amount of benchmarking. I had him rough up a draft, I formed an advisory group where most of the key stakeholders were represented by one or two people, a draft emerged a few months later, we went back to all the basic entities and went through an iterative process, and within eight months we had finished a brand new Principles of Responsibility. I'd say we finished in about a fourth of the time it took originally.

A philosophical question: Why did Kaiser decide to meet Sarbanes standards at all? Many public company executives would think you're gluttons for punishment.

First, the board wanted to emphasize its commitment to integrity and ethical conduct in a way that was unmistakable. Also, as a nonprofit, we have not less, but rather more scrutiny than public companies in many aspects of how we run our business. We thought that if this were an expectation for private corporations ... then we should not be afraid to undertake the same commitment. And there was some acknowledgment that if this were happening here, it would probably spread elsewhere; we do know that insurance commissioners are talking about some version of this in the insurance industry.

You also have to understand that Sarbanes-Oxley was in some cases the first instance of federal legislation of this nature applying to for-profit businesses. We in the health industry have been subject to a whole litany of regulation, and not just financial regulation, in a way that's different from many other businesses. In many respects, this wasn't that big a leap.

Thanks, Dan.

Click here for upcoming Webcasts with compliance officers.