Index AboutEthikos SelectedArticles SampleIssue EthikosOnCD-ROM PreviewOfNextIssue
PastArticlesByIssue PastArticlesBySubject OrderEthikos Links Contact
top 903

[Return To Selected Articles]

May/June 2003 - By Andrew W. Singer

Health Care Service Corporation's Ethics Certification Process

Some of the most rigorous and effective corporate ethics programs have grown out of failure. A seminal case, perhaps, is General Dynamics, which in the late 1980s built a model program upon the ashes of the defense contracting scandals. (See ethikos, March/April 1990.)

Health Care Service Corporation (HCSC) offers a more recent example. A scandal still shadowed the health insurer at the time of the 1998 merger of Blue Cross and Blue Shield of Illinois and Blue Cross and Blue Shield of Texas that formed HCSC.

In July 1998, Chicago-based Health Care Service Corporation pled guilty to eight felony counts and agreed to pay $144 million after admitting it concealed evidence of poor performance in processing Medicare claims for the federal government in its Marion, Illinois facility earlier in the decade. Among other things, HCSC signed a Corporate Integrity Agreement with the Office of Inspector General of the U.S. Department of Health and Human Services.

It was this Integrity Agreement that has informed and spurred development of a program with several interesting elements, in particular an unusually thorough management certification process.

Management certification

According to the Corporate Integrity Agreement, "every management employee must meet annually with all employees under his or her direct supervision to discuss the Compliance Program and Code of Business Ethics and Conduct (the Code) and to certify in writing that he or she had done so."

This is separate and distinct from compliance training and is designed to demonstrate management’s commitment to the compliance program and "foster an atmosphere in the work area that is conducive to compliance and disclosure and ultimately enhance and strengthen the program’s infrastructure," according to the company.

During these meetings, which can take place any time during the year, managers discuss the company’s non-retaliation policy and review corporate resources like the hotline, as well as other places that employees can go to report wrongdoing, such as Internal Audit, Human Resources, and Legal. Each manager talks, too, about his or her personal availability to address issues that might arise. They review the code of business conduct, and make sure that employees possess a copy of the code and know how it applies to their work area, according to Nancy Donaldson, Vice President, Compliance, Health Care Service Corporation, Richardson, TX.

There is some flexibility built into this requirement. As noted, meetings can take place any time during the year, and a manager can decide whether he or she wants to meet one-on-one with employees, or discuss the certification at a department meeting, say.

A departmental meeting

How does this work in practice? Take Donaldson’s own compliance department. She has three direct reports, each of whom also has several direct reports. Compared with the rest of the company, this is a relatively small department. Therefore, when it came to her own management certification process, Donaldson elected to schedule a single departmental meeting. She and her direct reports developed handouts. They decided which person would present each part of the program. (The rule is that every manager must speak at some point; no one can remain mum.) They reserved the conference room. The management certification section took less than 30 minutes.

Things may work differently in a unit with 300 employees, acknowledges Donaldson. There the vice president might meet with his or her five directors, each of whom might meet with six or seven managers. Each manager, in turn, might assemble 30-40 employees in a classroom-like setting.

There was less flexibility the first full year that management certification meetings were held. Then managers were told: between this and this time you will carry it out. The second year of the process, they were given a wider window: Meetings were to be held between July and the end of the year. In 2002, HCSC made management certification an annual requirement—"so they can choose the best setting."

A manager may want to hold a meeting in April, for instance, in conjunction with the annual staff meeting. Or they may want to do it in January, when employees have their annual one-on-one performance appraisal meeting. It is all left to the manager’s best judgment.

Management certification forms are available on the company’s intranet, along with the company’s 13-page compliance program policy. Managers can return the completed forms via e-mail or they can mail back hard copies.

Frequently asked questions

Also posted on the intranet site are "frequently asked questions" about the management certification process. This feature sheds additional light on how the program actually works. Some examples:

• "What if I don’t have direct reports anymore?" Answer: Managers must still complete the bottom half of the form and send it in.

• "Do I have to meet with my employees individually or can I meet with them as a group?" Answer: "Either way is fine"—whatever best suits the manager’s personal style. The management team in a particular department can even "partner" with another management team to "co-facilitate" meetings, a kind of team teaching approach. If this alternative is chosen, however, "each member of the management team who participates must 1) play an active leadership role throughout the meeting, and 2) complete and return the Management Compliance Certification Form."

• "I have independent contractors and temporary employees from the Kelly Temporary Agency working for me; should they be included in my meeting?" Answer: They should be included. "It is important for all individuals working at HCSC to be familiar with the content and application of the Code and Compliance Program."

• "What should I talk about during the meeting?" Answer: They should review the Code and also the compliance program, providing examples, if possible, of how the Code applies to employees’ work. In addition, they should address specific talking points:

Review the corporate resources available to address integrity concerns.

Assure employees of personal availability to address integrity concerns.

Review the Non-Retaliation/Non-Retribution Policy.

Inform employees that compliance with the Code and Compliance Program is a condition of employment. HCSC will take disciplinary action up to and including termination of employment for violation of the Code, Compliance Program, or any applicable law or regulation.

Discuss other company policies, i.e., the Corporate Information Security Policy Manual, of which employees should be aware.

This year HCSC received about 1,500 management certifications; only about 60 of those expected were not turned in—despite many reminders and follow ups. The names of those who failed to meet this requirement were sent to senior management with the recommendation that this shortcoming be reflected in their performance evaluations and compensation. The compliance office also passed on the names to internal audit, requesting an audit in the following year to determine whether their performance evaluations and compensation were, in fact, affected by their failure to file the certification.

"We decided this year we had to do it," says Donaldson, explaining the hard-nosed approach. Managers had had a few years, after all, to get used to the process. Now they had to deliver.

Filed under the False Claims Act

It is no surprise that particular attention is given to the company’s non-retaliation/non-retribution policy. The company takes whistleblowing seriously. As well it should. It was, after all, a breakdown in the reporting process that got the company into hot water back in the 1990s.

Blue Cross and Blue Shield of Illinois had been under contract to the federal government to process claims submitted by Medicare beneficiaries and their doctors. Over the years, a worker in the Marion, Illinois facility, Evelyn Knoob, witnessed a wide range of wrongful activity, including destruction and falsification of documents. In March 1995 she brought suit under provisions of the False Claims Act, which permit a citizen to sue on behalf of the United States alleging fraud on the federal treasury. Under the Act, the plaintiff, also known as a "relator" or a "whistleblower," can recover 15 to 25 percent of the damages paid to the United States if the government intervenes in the action. Although initially reluctant, the government did finally intervene.

In July 1998, the U.S. Department of Justice announced, "The relator [i.e., Knoob], the government and HCSC have agreed to settle the civil lawsuit for $140 million. The relator will receive, at the time of the final settlement, $21 million." HCSC also agreed to pay $4 million in criminal fines.

Back in Marion in the 1990s, workers found instances of wrongdoing, and they tried to report it. "But management didn’t deal with it," recalls Donaldson. The company had a hotline, but it was not well communicated. "The company let her down," says Donaldson of the woman who eventually blew the whistle.

HCSC’s revised compliance program, introduced in late 1998, took about a year to develop. It involved revised training, dissemination of the code, and notices to all offices about the new requirements.

In 2000, the company conducted its first compliance "refresher" course. These sessions run one-and-a-half hours for managers, one-and-a-quarter for non-managers.

The company also runs training sessions for new employees. These are two hour sessions, and include a video that provides an overview of the code. This video is updated every year.

A ‘To Do List’

This year Donaldson developed a handout outlining managers’ four compliance responsibilities. It is called the "2003 Management Compliance ‘To Do List’" The four items are:

• Annual compliance training. This can be live or computer-based training, and it is for managers, managers’ staff, and non-management staff.

• Initial compliance training for new employees. As noted, these two-hour training sessions are required for all new employees. They are presented by the corporate compliance department and are required of both managers and non-managers.

• A conflict-of-interest statement. This is a document that discloses any "material interest" that is in conflict, or likely to be in conflict, with an employee’s duties. The manager has to see this is completed.

• Management certification. It is emphasized that this requirement "is not intended to replace or duplicate the compliance training that is conducted by the Corporate Compliance Department each year."


Donaldson was asked if the management certification process has been marked by resistance on the part of managers. "There has been a little. We struggle every year about how to do it better." It isn’t so much resistance as difficulty understanding why this is important.

What are the keys to making this work? "One thing is to clearly communicate the requirement. We try to improve this every year. We struggled with getting management to embrace it as something that was important for them. It’s a challenge to keep it fresh—not just something that they have to do."

Each year they try to do something different, whether it be new hand-outs, or novel suggestions as to how managers might restructure the meetings.

Why is it important for managers to explain about non-retaliation? "No one wants their employee to call the hotline," says Donaldson, "or go to the compliance department." Managers would much prefer that their employees come to them with issues. "This is your opportunity to convince employees that you’re serious about this," she tells managers.

Thus, managers might state to their direct reports that they "strongly support the non-retaliation policy, and that their employees should feel comfortable coming to them no matter which issue is raised."

"We can preach all day long that there’s a retaliation policy that can protect you, but it’s their manager who they’re afraid of, who has the opportunity to retaliate." Clearly, it has more impact, then, if it is the manager who talks about non-retaliation. o

Andrew Singer is Co-Editor of ethikos.
Reprinted from the May/June 2003 issue of ethikos.
© 2004 Ethikos, Inc. All rights reserved.

[Return To Selected Articles]

BOTTOM-BAR_2103Site Designed By West Coast CreativeE-MAIL US NOW