This interview with Matthew Tuchow was conducted in June by Adam Turteltaub (adam.turteltaub@corporatecompliance.org), Vice President of Strategic Initiatives & International Programs, Society of Corporate Compliance and Ethics & Health Care Compliance Association
Matthew Tuchow, Chief Compliance and Business Integrity Officer, Veterans Health Administration, U.S. Department of Veterans Affairs Washington, DC
AT: Like pretty much everyone else in compliance, you didn’t get there in a straight line. Your career spanned time at law firms in Japan and the US, as well as a year working for a congressman. How did you end up doing compliance work?
MT: I love being proactive, getting ahead of the curve, teaching people to do the right thing rather than cleaning up messes at the back end. I also believe that by promoting ethics, integrity, and compliance, we are promoting corporate and institutional responsibility, which benefits society at large.
AT: It would probably be good if you gave people a better understanding of McKesson and some of the risks that you had to manage there. It’s a huge global company that is really deeply involved in healthcare.
MT: Yes. McKesson is one of the largest companies in the United States, and if not the largest, one of the largest US healthcare companies by revenue. The company is a large distributor of pharmaceuticals and medical-surgical supplies, and it provides healthcare technology, physician practice management, and specialty services. There were many risks! Key risks that I was focused on mitigating at McKesson included healthcare fraud, government contracting, corruption risks, data privacy, and regulatory risks.
AT: What led you to pursue the opportunity at the Veterans Health Administration (VHA)?
MT: I wanted to give back and had always been interested in public service and government, and I thought I might be able to bring some lessons about building successful compliance and ethics programs that I had learned in the private sector to the public sector, and hopefully add value.
AT: The VHA, which is part of the Department of Veterans Affairs (VA), is an enormous institution. Can you give us a sense of the size and scope of its operations?
MT: VHA is the largest healthcare organization in North America, serving over 9 million Americans with over 1,000 points of care and over 320,000 employees. In fact, the VA is the second largest agency in federal government after the combined Department of Defense.
AT: How is the compliance program structured to cover all those people and facilities?
MT: We have a team of about 40 compliance professionals at the headquarters and compliance officers embedded in each of our 140 largest medical centers, as well as regional compliance officers in 19 regions across the United States.
AT: One thing that I found interesting that you explained to me is that in addition to being a provider, the VHA acts very much like an insurer. You’re a payer to local service providers. I imagine that there are two impacts. First, you have to look at a whole range of additional compliance issues. Second, it’s got to be illuminating for the VHA’s internal compliance efforts. Yes?
MT: This is correct. VHA is first and foremost a very large network of integrated medical centers with all the risks and issues associated with being a direct provider of care. But, as veterans have greater opportunities to obtain their healthcare in the community, given the size and scope of the VHA, the agency has quickly become a substantial payer for external healthcare, and that brings with it additional risks and issues. One risk area that my team is now focused on is fraud, waste, and abuse (FWA); we want to prevent FWA and, if we can’t prevent it, we want to detect it and remediate it. We want to help the agency be a good steward of taxpayer money.
AT: I want to spend some time focusing on all the differences you found when moving into compliance work in the government sector. With more governmental entities embracing compliance programs, there are likely to be many others who follow your path. First, some may ask, “Why does a governmental entity have to care about compliance?” Turns out it does, and I believe you had told me that the VHA was designated by the Government Accountability Office (GAO) as being high risk. Can you give us some background?
MT: First and foremost, as veterans have more opportunity to obtain their medical care in the community, the VA must maintain the trust of veterans to be the provider of choice. Maintaining a culture of integrity and compliance with laws and regulations affecting the system are essential to maintaining that trust. To do so, we are striving to build as effective a compliance program as any private sector entity.
You asked about the GAO and external regulation. This was an area that surprised me about serving as a compliance officer in the public sector. I know the tremendous power that public sector regulators have in promoting compliance in the private sector. But, I had no idea that there were significant pressures on public agencies like the VA to comply with laws, regulations, and internal policies as well. In fact, there are many layers of external regulators: there is the VA Office of Inspector General, there are the 535 members of Congress that hold hearings and provide oversight, and there is the GAO, to name a few. Before joining the VHA, the VA was placed on what is called the “high-risk” list by the GAO for: (1) ambiguous policies and inconsistent processes, (2) inadequate oversight and accountability, (3) information technology challenges, (4) inadequate training for VA staff, and (5) unclear resource needs and allocation priorities. Sound familiar? Notice the parallels with several elements of an “effective” compliance program.
Being placed on the high-risk list is a little bit like having a corporate integrity agreement in the private sector. The agency must demonstrate leadership commitment, manage capacity, develop action plans, have monitoring, and demonstrate adequate progress to be removed from the list. So, I was hired to convert a narrowly focused compliance program on revenue cycle at the VHA into a compliance program with a much larger scope that would assist the agency to demonstrate adequate oversight and accountability and to, over time, help the agency to get off the high-risk list.
AT: For someone working in the private sector, moving to the government sector can be a bit disconcerting. What were some of the key differences that you found, both from a traditional work perspective as well as from a compliance perspective?
MT: I love the mission focus of the organization. At the VA, people choose to work here and oftentimes take a cut in pay to do so, because they believe in the mission of giving back to those who gave so much to their country: injured veterans. In fact, Abraham Lincoln founded the organization that was to become the Department of Veterans Affairs, and the VA’s mission, engraved in the VA headquarters building, remains to fulfill Abraham Lincoln’s promise: “To care for him who shall have borne the battle, and for his widow, and his orphan.”
But from a compliance perspective, I am struck by the formality of the organization. Being a large federal agency, many decisions at VHA require headquarters “Directives” or formal letters from senior officials to be implemented. This can lead to less spontaneity and slower decision-making than I am used to in the private sector. For example, during my first year at VHA, my team did a great job of simplifying a complex compliance risk assessment tool. Although field compliance officers had been trained on it and even praised the new tool, they felt uncomfortable implementing it until they received a formal memo from senior headquarters officials directing them to do so. I was able to obtain such a memo and the risk assessment proceeded, but it was delayed several weeks.
I also was struck by the lack of an internal, senior-level compliance governance body at the agency equivalent to an executive compliance committee or audit committee of a board of directors or board of regents. Therefore, I helped create a surrogate last year called the Audit, Risk and Compliance Committee (ARCC). It is made up of many high-level officials in the VHA. The ARCC has led to greater leadership awareness of, accountability over, and oversight of compliance, audit, and risk activities. For example, after conducting our enterprise compliance risk assessment last year, we brought our findings and a recommendation on key compliance risks to address in the coming year to the ARCC. After receiving its approval, we began to build our work plans.
AT: You were also making the switch from being a distributor to healthcare entities, to being a frontline provider of services. How did you have to reorient your thinking?
MT: Well, I had to learn a lot about hospitals. Many of the leaders of VHA are physicians, so I had to learn medical vocabulary and learn about the world of hospital administration. But many applicable healthcare laws and regulations are the same.
AT: Also, given that the VHA serves, well, veterans, you had to adjust to certain military aspects. How was that?
MT: Yes. Here too, I had to learn military vocabulary and protocol. VHA is really an amalgam of physician and military cultures. I know more three-letter acronyms than I thought possible! I must say I was flattered during my first month on the job when staff rushed to open the door for me, saluted, and said, “After you Chief!” I can’t say Compliance was treated with quite that amount of deference in the private sector!
AT: I don’t want to make it seem that it was all so different and alien. I imagine that there was much that felt like any other compliance assignment. Yes?
MT: Absolutely. When I arrived at the VHA, the framework for the compliance program was the HHS OIG’s guidance on an effective compliance program for hospitals. I thought I would find a dearth of programs implementing each element. In fact, I found a mixture of very sophisticated programs and processes and the absence of others. I found a very sophisticated risk assessment process and data monitoring and analysis program. But there was no VHA-specific code of integrity (although there was an existing code of conduct for all federal employees regarding conflicts of interest). So, I worked to develop one and recently rolled out a VHA-specific Code of Integrity.
AT: Finally, how do you see compliance evolving over the next five to ten years?
MT: I believe that the ethics, culture, and “people” part of our jobs will remain constant. Human nature will continue to be human nature, and we will need to continue to inspire people to behave with integrity.
However, technology will impact us greatly for good and bad. I worry about the ability of people to use technology to commit fraud and to manipulate data maliciously. At the same time, I believe that we will be able to use big data to help mine and visualize risks in a more advanced fashion and, therefore, aid our efforts to be proactive, to get ahead of and mitigate emerging or hidden risks, and detect and remediate others.
Ultimately, I believe that our profession is a noble one: that we seek to encourage the better angels of human nature.
AT: Thank you, Matthew, for sharing your insights with us.