Nancy Waltermire is a Managing Director and a seasoned professional with a proven ability to manage multi-functional areas of operations and maintain compliance with federal and state regulations. Successful in the implementation and administration of government contracts, Nancy provides consulting and expert services relating to regulatory compliance and operations in the commercial and government-sponsored programs space. Her experience includes working with payers (commercial, Medicare Advantage and Part D, SNP MOC, Medicaid, and Affordable Care Act), providers (ancillary providers and pharmacies), and pharmaceutical manufacturers.

In this edition of Behind the Expert, we spoke with Nancy about the trajectory of the healthcare compliance industry today and the critical experience that defines her approach toward consulting and helps clients succeed in the complex, ever-evolving regulatory compliance industry.

"Rather than reacting, you must be proactive and preventive. By doing this, you will not only be prepared for the potential obstacles that face your company, but you will most likely eliminate obstacles before they appear."

- Nancy Waltermire, Managing Director

1. You've worked with some of the world's largest insurance companies, government agencies, CMS (Centers for Medicare & Medicaid Services), and as a Registered Nurse. How have those experiences shaped your career, and how does it help you better serve clients?

Having a variety of experiences in the healthcare space has been a tremendous asset in my transition into a consultant here at Ankura. Being able to understand the ins and outs of the healthcare space is vital, and my experiences have molded my ability as a consultant. The industry is always changing and knowing how to adapt to the evolution of the healthcare market is integral to serving clients and creating new solutions.

Moreover, having experience in different sectors of the healthcare industry has allowed me to practice in areas I was not always comfortable. However, these experiences have given me tools to create enterprise value for my clients, reduce compliance issues, and keep a smooth operation despite regulatory interference. It is not only my job to solve difficult problems for my clients, but I must educate them so that they are able to prevent similar issues in the future.

2. How has the healthcare compliance industry evolved during your career?

The landscape of the healthcare compliance industry is one that is changing every day, week, month, and year. I’ve had to make sure to stay on top of trends and changes throughout my career. If you are not able to stay in tune with the different intricacies of the industry, then it is impossible to work in the industry – and you will get left behind. This is especially true in the role of a Chief Compliance Officer (CCO). As a CCO, you not only have to know how your position has changed and the different responsibilities of your position, but you have to be aware of all of those under you and the responsibilities of your team.

One method that has been especially helpful in navigating the ever-changing healthcare compliance field has been developing reporting tools to make sure that CMS regulations are being followed.

Having these reports makes it far easier and simpler for myself, my team, and my clients, as it is a one-stop shop for everything CMS. Making sure you are up to date on CMS rules and regulations is vital to a compliance department running smoothly, and you have to make sure that your team is up to the task. You need more than just a CCO to handle all the work that goes into compliance. For this reason, I make sure that I am hiring skilled professionals who have industry experience.

3. How would you say most companies you have worked with approach healthcare compliance initiatives?

Most companies are "reactive" to situations that are presented and obstacles that are put in their way. This strategy is the wrong way to navigate the obscure and complex world of compliance. Rather than reacting, you must be proactive and preventive. By doing this, you will not only be prepared for the potential obstacles that face your company, but you will most likely eliminate obstacles before they appear.

In order to be proactive and preventive, oversight monitoring is key. You have to be ready for what could happen, and you must know the ins and outs of the oversight bodies that are looking into your company. My team and I believe in teaching industry best practices, as well as performing mock audits before CMS comes knocking. Knowing where your company is before facing audits from CMS is incredibly important because you’re empowered to change things before it's too late.

You don’t have to reinvent the wheel either. I advise using the audit tool that CMS provides. In doing so, you are practicing with the exact tool that is going to be used to evaluate your alignment with the latest rules and regulations. By implementing this process, you can put your company in a better position to change before it's too late.

"It is not only my job to solve difficult problems for my client, but I must educate them so that they are able to prevent similar issues in the future."

- Nancy Waltermire, Managing Director

4. If you’re a CCO and you received notice that your organization is going to be audited due to a HIPAA or HITECH breach, what is the first thing you recommend doing?

There are a number of preventive steps that I would take for this. However, if you receive this notice before being able to implement the proactive and preventive steps I previously mentioned, I would start by using the HIPAA Privacy Survey to make sure that you and your company have not been sending data or health information that is not supposed to be sent. By doing this, you will quickly see whether there is going to be a problem. Also, make sure to use the tools from the Office for Civil Rights (OCR) to ensure that you are following HIPAA.

Other measures that I would take as a CCO of an organization set to be audited are:

1. Walking around to look at the desks of your team when people are at lunch in order to see if employees are leaving their screens on, as this can lead to violations.
2. Confirming that sales and marketing team members are storing and sharing their screens on their laptops cautiously as stated in the Company HIPAA Policies. Meaning that they're being careful discussing or sharing Personal Health Information, (PHI).
3. Know when you have to report a breach and when you don’t have to.
4. Report breaches as fast as possible and work with your General Counsel; and
5. Perform mock audits of IT security and everything in between.

Following these measures is paramount to ensuring your team is ready for a HIPAA or HITECH audit and has taken ample steps to be prepared.

This also holds true if you receive a letter from CMS that you have been selected for a CMS program audit. In this scenario, it is critical to:

1. Immediately alert all senior leaders and their staff
2. Begin to follow the CMS current Program Audit Protocols
3. Conduct mock audits where applicable based on risk assessments and oversight and monitoring results
4. Begin to prepare key individuals/participants for responding to CMS during the audit of live cases and reports

Health plans/payers should be conducting Mock CMS Audits annually to be more prepared when selected for a CMS program audit. We can assist in conducting mock audits and providing industry best practices.

5. How should companies approach compliance to position themselves for success?

Compliance is a business issue for the whole company. It is something that goes all the way up to the Board of Directors and should be top of mind for everyone in the C-suite, not just the Chief Compliance Officer. As a CCO, you cannot get granular. You are reporting to the executives, the CEO, and then the Board. I advise developing a red, yellow, and green tool for the risks that the company faces. By doing this, you cover all your bases. Also, make sure to not only use the tools that your company is providing but use the tools that everyone else is using. Be aware of all of the preventive measures out there and use them to your advantage.

6. Is there an example of an especially challenging engagement you have faced recently? How did you handle these high-stress cases?

We have one case where we are working with a managed care organization that contracted out case management to a vendor. If you contract out to a vendor, you still have to follow all of the regulations, and in this case, the vendor was not following the latest regulations and the company is now being audited. We’re partnering with the business to rectify this within a tight timeline of a month. And the stakes are extremely high as this is the second time the organization is being audited and as a result, can lose their contract with the CMS. This specific case shows the importance of conducting consistent oversight and monitoring of all First Tier, Downstream Entities in accordance with CMS Managed Care Manual Chapter 9/21. Also, having regular meetings, and auditing them to make sure they are following CMS guidelines.

7. Do you typically work with smaller payers or more large-scale for Medicare and Medicaid, and what do you and your team bring to the table?

We work with small payers and large payers. No matter how small or how big you are, you have to follow the same regulations. In terms of Medicare, it is the same in every state, so regulations must be met regardless of the size of where you are. Medicaid is a little bit trickier, as there are state and local regulations that companies must follow, which can oftentimes lead to trouble. State and local regulations are an afterthought for many companies, and we have to be keenly aware of the intricacies of different localities so that we can alert clients of how they need to be acting in different areas.

My team and I also stress the importance of diversity in action when partnering with any client. This means making sure that all of the key players are at the table when developing processes, including people from claims, marketing, finance, etc. It goes all the way up the food chain to the executives and the Board of Directors. Staying true to this approach means everyone from top to bottom is involved with compliance. Companies and their executives should not be afraid to talk to compliance – compliance should be your best friend.

I tell our clients that my team and I are available for them at all times. We are a comprehensive service that will be anywhere, do anything in our power, and respond at the drop of a hat. I tell all my clients, “Just call me.”

- Nancy Waltermire, Managing Director

This interview was conducted by Connor McCulloch, a Senior Associate in the Ankura Washington, DC office, and Christina Aguilera, a Marketing Manager in the Ankura Nashville Office.