This is the accessible text file for GAO report number GAO-07-79 entitled 'Hospital Accreditation: Joint Commission on Accreditation of Healthcare Organizations' Relationship with Its Affiliate' which was released on January 16, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: December 2006: Hospital Accreditation: Joint Commission on Accreditation of Healthcare Organizations' Relationship with Its Affiliate: GAO-07-79: GAO Highlights: Highlights of GAO-07-79, a report to congressional requesters Why GAO Did This Study: Hospitals must meet certain conditions of participation established by the Centers for Medicare & Medicaid Services (CMS) in order to receive Medicare payments. In 2003, most hospitals—over 80 percent—demonstrated compliance with most of these conditions through accreditation from the Joint Commission on Accreditation of Healthcare Organizations (Joint Commission). Established in 1986, Joint Commission Resources, Inc. (JCR), a nonprofit affiliate of the Joint Commission, provides consultative technical assistance services to hospitals. Both organizations acknowledge the need to ensure that JCR’s services do not—and are not perceived to—affect the independence of the Joint Commission’s accreditation process. GAO was asked to provide information on the relationship between the Joint Commission and JCR. This report describes (1) their organizational relationship, and (2) the significant steps they have taken to prevent the improper sharing of information, obtained through their accreditation and consulting activities, respectively, since JCR was established. GAO reviewed pertinent documents, including conflict- of-interest policies and information about the organizations’ financial relationship, and interviewed staff and board members from both organizations, JCR clients, and CMS officials. What GAO Found: The Joint Commission and JCR have a close relationship as demonstrated through their governance structure and operations. The Joint Commission has substantial control over JCR and the two organizations provide operational services to one another. For example, JCR manages all Joint Commission publications, while the Joint Commission provides support services to JCR. Despite the Joint Commission’s control over JCR, the two organizations have taken steps designed to protect facility- specific information. In 1987, the organizations created a firewall—policies designed to establish a barrier between the organizations to prevent improper sharing of this information. For example, the firewall is intended to prevent JCR from sharing the names of hospital clients with the Joint Commission. Beginning in 2003, both organizations began taking steps intended to strengthen this firewall, such as enhancing monitoring of compliance. Ensuring the independence of the Joint Commission’s accreditation process is vitally important. To prevent the improper sharing of facility-specific information, it would be prudent for the Joint Commission and JCR to continue to assess the firewall and other related mechanisms. Figure" Relationship between the Joint Commission, JCR, and Hospitals: [See PDF for Image] Source: GAO analysis of the Joint Commission and JCR documents and interviews. [End of Figure] The Joint Commission agreed with GAO’s concluding observations. CMS did not comment on GAO’s findings or concluding observations. Both provided technical comments, which we incorporated as appropriate. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-79]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Leslie G. Aronovitz at (312) 220-7600 or aronovitzl@gao.gov. [End of Section] Contents: Letter: Results in Brief: Background: The Joint Commission Has a Close Relationship with JCR through Their Governance Structure and Operations: The Joint Commission and JCR Have Taken Steps to Prevent the Improper Exchange of Facility-Specific Information: Concluding Observations: Agency Comments: Appendix I: Scope and Methodology: Appendix II: Timeline of Key Developments in the Organizations' Relationship: Appendix III: Policies, Protocols, and Guidelines Related to the Firewall, as of 2006: Appendix IV: Elements of the Firewall Policies, as of 2006: Appendix V: Comments from the Joint Commission on Accreditation of Healthcare Organizations: Appendix VI: GAO Contact and Staff Acknowledgments: Table: Table 1: Joint Commission's Powers Over JCR Enumerated in JCR Bylaws: Figures: Figure 1: Relationship between the Joint Commission, JCR, and Hospitals: Figure 2: Board Structure of JCR in Relation to the Joint Commission: Abbreviations: CEO: Chief Executive Officer: CFO: Chief Financial Officer: CMS: Centers for Medicare & Medicaid Services: CSR: Continuous Service Readiness: HHS: Department of Health and Human Services: JCR: Joint Commission Resources, Inc. United States Government Accountability Office: Washington, DC 20548: December 15, 2006: The Honorable Charles E. Grassley: Chairman: Committee on Finance: United States Senate: The Honorable Pete Stark: Ranking Minority Member: Subcommittee on Health: Committee on Ways and Means: House of Representatives: In order to be eligible to receive payments from Medicare--the federal program that provides health care benefits to over 42 million elderly and disabled beneficiaries--hospitals must meet certain criteria established by federal law. The Centers for Medicare & Medicaid Services (CMS), the federal agency within the Department of Health and Human Services (HHS) that administers Medicare, has established conditions of participation that hospitals must meet to be eligible to participate in the Medicare program. The Joint Commission on Accreditation of Healthcare Organizations (Joint Commission), a nonprofit corporation, has developed its own accreditation standards that are intended to meet or exceed Medicare's conditions of participation.[Footnote 1] Hospitals accredited by the Joint Commission are, in general, deemed to meet most of the conditions to be eligible for Medicare payment.[Footnote 2] In 2003, most hospitals--over 80 percent--demonstrated that they met the applicable conditions of participation through accreditation from the Joint Commission.[Footnote 3] The Joint Commission's status as a hospital accrediting body was established by statute in 1965, and consequently, can only be changed by Congress.[Footnote 4] Although CMS has approved other organizations' hospital accreditation programs, the Joint Commission is the only organization whose approval is expressly provided for in statute. As such, the Joint Commission is not required to periodically reapply to CMS for this approval. In 1986, the Joint Commission created Joint Commission Resources, Inc. (JCR),[Footnote 5] a nonprofit, controlled affiliate.[Footnote 6] JCR's stated purpose is to assist health care organizations in improving the quality of their care through educational and research activities. Of particular interest, JCR provides consultative technical assistance services--referred to as "consulting services" throughout the remainder of this report--to health care facilities, including individual hospitals and members of state hospital associations, to help facilities comply with the Joint Commission's accreditation standards. While JCR is a separate entity legally from the Joint Commission, the organizations are related corporate entities. As a result, the two organizations have acknowledged the need to ensure that JCR's consultative services do not affect, and are perceived not to affect, the independence of the Joint Commission's accreditation process, either through the improper sharing of information about facilities using JCR's services with Joint Commission accreditation staff or through any implication that using JCR's services will provide an undue advantage in the Joint Commission accreditation process. Both of the organizations attempted to address these concerns through the development of a "firewall"--policies designed to establish a barrier between the organizations to prevent conflicts of interest and sharing of facility-specific information.[Footnote 7] For example, the firewall is intended to prevent JCR from sharing the names of its hospital clients with the Joint Commission. You asked us to provide information on the relationship between the Joint Commission and JCR as it relates to the hospital accreditation process. In this report, we describe (1) how the Joint Commission and JCR are related to one another through their governance structure and operations, and (2) the significant steps both organizations have taken to prevent the improper sharing of facility-specific information, obtained through their hospital accreditation and consulting activities, since the creation of JCR. To describe the relationship between the Joint Commission and JCR, specifically as it pertains to their governance structure and operations, we interviewed senior staff at both organizations, including the President of the Joint Commission and the individual who serves as both President and Chief Executive Officer (CEO) of JCR. We also interviewed board members from the Joint Commission and JCR and reviewed documents from both organizations, including documents related to the organizations' financial relationship.[Footnote 8] Further, we interviewed staff at CMS to obtain information on their oversight of the Joint Commission and other accreditation organizations, and reviewed reports CMS provides to Congress related to its validation surveys of Joint Commission accredited hospitals. To further our understanding of issues related to organizational governance, conflicts of interest, and independence standards, we interviewed officials from both the private and public sector[Footnote 9] and reviewed pertinent documents. To provide information on the significant steps taken by the Joint Commission and JCR since JCR's creation to prevent the improper sharing of facility-specific information, we reviewed relevant policies developed by the two organizations. We reviewed versions of the firewall and related policies issued between 1987 and 2006 and interviewed senior staff with responsibility for this area, including the person who serves as the Corporate Compliance and Privacy Officer (Compliance Officer) for both organizations. We also conducted interviews with staff members at each organization to obtain information on their understanding of the firewall and related policies and guidelines, their training on these policies and guidelines, and their awareness of possible firewall violations. In addition, to learn about JCR's clients' understanding of the relationship between JCR and the Joint Commission, we conducted interviews with state hospital associations that, as of May 2006, used JCR's consulting services, and hospitals that used these services during calendar year 2005. We also conducted interviews with state hospital associations that had not used JCR's consulting services as of May 2006 to learn more about their reasons for not doing so. The information provided from our interviews with staff, state hospital associations, and hospitals reflects the comments of those we interviewed and cannot be generalized to all Joint Commission and JCR staff or all state hospital associations and hospitals using JCR consulting services. (For additional information on our methodology, see app. I.) We conducted our work from October 2005 to December 2006, in accordance with generally accepted government auditing standards. Results in Brief: Although the Joint Commission and JCR provide different types of services to health care organizations, they remain closely related to one another in their efforts to achieve their similarly stated missions. Their close relationship is demonstrated through both their governance structure and operations. The Joint Commission has substantial control over JCR through powers provided in JCR's bylaws as well as through Joint Commission commissioners that also serve on JCR's board. In addition, the two organizations provide various operational services to one another. The Joint Commission and JCR have taken steps designed to prevent the improper sharing of facility-specific information obtained from their accreditation or consulting activities. In 1987, shortly after the creation of JCR, the organizations developed initial firewall guidance. Beginning in 2003, both organizations began taking additional steps designed to enhance the firewall guidance. They have also implemented additional policies and guidance designed to further strengthen the firewall between the two organizations. Both the Joint Commission and JCR report providing training to staff on these policies, and have developed mechanisms to allow staff to report possible firewall violations. They both have also taken steps, primarily since 2003, to strengthen the oversight of the implementation of, and compliance with, the firewall and related policies. Ensuring the independence of the Joint Commission's accreditation process is vitally important. To ensure that the firewall and other mechanisms instituted are sufficient to prevent the improper sharing of facility-specific information, it would be prudent for the Joint Commission and JCR to continue to assess these mechanisms and monitor their implementation. The Joint Commission agreed with our concluding observations and emphasized that its highest priority is to preserve the integrity of its accreditation process. CMS did not comment on our findings or concluding observations. Background: The Joint Commission, a nonprofit organization founded in 1951, was created to provide voluntary health care accreditation for hospitals. All but one of the Joint Commission's founding members continued to serve on its Board of Commissioners as of October 2006, including the American Hospital Association and the American College of Surgeons.[Footnote 10] The standards established by the Joint Commission address a facility's level of performance in areas such as patient rights, patient treatment, and infection control. To determine whether a facility is in compliance with those standards, the Joint Commission conducts on-site evaluations of facilities, called accreditation surveys. The Joint Commission recognizes a facility's compliance with its standards by issuing a certificate of accreditation, which is valid for a 3-year period. In 2004, the Joint Commission implemented a new accreditation process in an effort to encourage hospitals to focus on continuous quality improvement, rather than survey preparation. Previously, facilities were told in advance when Joint Commission surveyors would conduct their evaluations. As a part of the new process, the Joint Commission began conducting unannounced surveys.[Footnote 11] The Joint Commission employs over 900 staff members, including approximately 200 hospital surveyors from a range of disciplines--such as physicians, nurses, and hospital administrators--who conduct the accreditation surveys. In 2005, the Joint Commission accredited approximately 4,300 hospitals. The Joint Commission established JCR to provide consultative technical assistance to health care organizations seeking Joint Commission accreditation. (See fig. 1.) JCR is governed by a Board of Directors and employs approximately 180 staff members, including consultants located throughout the country. In 2000, the Joint Commission expanded JCR's role beyond consulting to include all educational services, such as seminars and audio conferences, which the Joint Commission previously provided. (See app. II for a timeline of key developments in the Joint Commission and JCR relationship.) JCR also became the official publisher of the Joint Commission's accreditation manuals and support materials. JCR offers consulting services either independently to health care facilities or through a subscription-based service called the Continuous Service Readiness (CSR) program, which is typically offered in partnership with state hospital associations.[Footnote 12] The CSR program provides ongoing technical assistance and education to subscribers through a variety of means, including meetings, e-mails, telephone calls, and conferences. Figure 1: Relationship between the Joint Commission, JCR, and Hospitals: [See PDF for image] Source: GAO analysis of Joint Commission and JCR documents and interviews. [End of figure] In 2004, we reported that CMS's oversight of the Joint Commission hospital accreditation process is limited. Although it conducts on-site validation surveys of a sample of Joint Commission-accredited hospitals, the agency cannot restrict or remove the Joint Commission's accreditation authority if it detects problems.[Footnote 13] CMS reported that the agency and the Joint Commission engage in ongoing dialogue to identify potential hospital accreditation performance issues. In addition, CMS provides an annual report of its findings to Congress. Unlike the Joint Commission, JCR is not subject to any oversight by CMS. When developing policies regarding its relationship with JCR, the Joint Commission has been affected by the increased focus in both the public and private sectors on governance issues. The Sarbanes-Oxley Act of 2002,[Footnote 14] passed in response to corporate and accounting scandals, required publicly traded companies to follow new governance standards, including those designed to ensure auditors' independence from their clients. Even though most provisions of the Sarbanes-Oxley Act are not applicable to nonprofit organizations, activities that have occurred in the wake of the act have affected nonprofits. For example, several state legislatures are considering legislation that applies standards similar to the Sarbanes-Oxley requirements to nonprofit organizations. In addition, some nonprofit organizations, such as the Joint Commission, have voluntarily adopted policies and altered governance practices based upon the act. Organizations in the public and private sectors have also begun to institute compliance programs[Footnote 15] and those that provide accreditation or certification services have developed standards to ensure the independence of these services. Compliance programs for health care organizations--such as hospitals, home health agencies, and medical supply companies--have used provisions of the federal Sentencing Guidelines,[Footnote 16] developed in 1991, as a program model. These guidelines lay out two common principles of adequate compliance programs--to prevent and detect criminal conduct, and to promote an organizational culture of ethics and compliance with the law. In 1998, the HHS Office of Inspector General developed a model compliance program for hospitals.[Footnote 17] Regarding independence standards, organizations that provide accreditation or certification, or recognize accreditation bodies, have begun to impose certain criteria to demonstrate independence. For example, the Department of Education developed criteria for educational accrediting bodies that are designed to ensure that those organizations granting accreditation are not improperly influenced by related trade or membership associations. The Joint Commission Has a Close Relationship with JCR through Their Governance Structure and Operations: The mission statements of the Joint Commission and JCR both share the same phrase of seeking "to continuously improve the safety and quality of care." While each organization differs in the activities it engages in to achieve that mission, they maintain a close relationship through both their governance structure and operations. The Joint Commission has substantial control over the governance of JCR through the powers retained by the Joint Commission in JCR's bylaws as well as through the Joint Commission's representation on JCR's Board of Directors. In addition, JCR manages all Joint Commission publications and educational activities, while the Joint Commission provides various support services and some management oversight to JCR. The Joint Commission Has Substantial Control over JCR through Its Governance Authority: The Joint Commission has substantial control over the governance of its affiliate, JCR. In 2003, the Joint Commission undertook a major review of the structural, operational, and legal aspects of its relationship with JCR in an effort to address any real or perceived conflict-of- interest issues. This review led to the restructuring of JCR through revisions to JCR's bylaws, which govern the internal affairs of the organization, and resulted in changes to the composition of JCR's board and the appointment of board officers. In particular, after the restructuring the Joint Commission no longer retained a majority on the JCR board through board members who served on the boards of both organizations. However, through changes to JCR's bylaws, the Joint Commission maintained control over JCR by reserving powers that would otherwise have been exercised by JCR. The 2003 restructuring of JCR allowed the Joint Commission to effectively maintain control over JCR by implementing a change in the "corporate membership" of JCR. Similar to for-profit entities that may have stockholders, nonprofit corporations may have corporate members who, in general, are responsible for major organizational decisions, such as electing the corporation's board.[Footnote 18] If a nonprofit corporation does not have any members, the corporation's board of directors holds decision-making authority.[Footnote 19] With the restructuring of JCR, the Joint Commission became the "sole member" of JCR. The sole member has the ability to exercise substantial control over the affiliate through its "reserved powers"--powers that would otherwise be exercised by the affiliate board, if the sole member did not reserve them for itself. When the Joint Commission became the sole member of JCR, its reserved powers included those previously held and a number of additional powers, as shown in table 1.[Footnote 20] A practicing attorney with expertise in transactions involving nonprofit health care organizations and who has served as external counsel for the Joint Commission considers this structure necessary to enable the parent to protect itself from the possibility of the affiliate acting against the parent's interests. However, an article published in a law journal cautions that this structure allows the parent to make decisions solely in its own interest without considering the impact on the affiliate.[Footnote 21] Table 1: Joint Commission's Powers Over JCR Enumerated in JCR Bylaws: Joint Commission's powers in JCR bylaws before 2003 restructuring: * Appoint JCR directors; * Remove JCR directors, with or without cause, by a two-thirds vote; * Appoint the JCR board chairman; * Approve amendments to JCR articles of incorporation and bylaws; * Approve JCR's mission statement and strategic plans; * Approve all JCR debt in excess of $250,000; * Approve JCR's budget; * Approve JCR's dissolution. Joint Commission's powers added to JCR bylaws as a result of 2003 restructuring: * Appoint JCR board vice chairman and President/CEO; * Remove JCR board chairman, vice chairman, and President/CEO, with or without cause; * Amend JCR articles of incorporation and bylaws; * Approve all creations of subsidiaries or controlled affiliates, mergers, consolidations, certain affiliations, and all joint ventures of JCR involving capital investments in excess of $250,000; * Approve sale or encumbrance of all or substantially all assets of JCR; * Approve all liquidations from JCR. Source: GAO summary of the Joint Commission and JCR Bylaws. [End of table] As part of the 2003 restructuring, the Joint Commission took steps to reduce the proportion of persons serving on the JCR board who also served as board members on the Joint Commission board. Prior to the 2003 restructuring, JCR's board had 13 directors with a majority--7 directors--from the Joint Commission, including the President of the Joint Commission as an ex officio director with voting rights.[Footnote 22] The other 6 directors were from outside the Joint Commission, and included the CEO of JCR as an ex officio director with voting rights. After the 2003 restructuring, directors from the Joint Commission no longer comprised the majority of members on JCR's board. There are 17 directors on JCR's board, consisting of 7 Joint Commission directors-- including the President of the Joint Commission as an ex officio director with voting rights--and 9 external directors who cannot be, either concurrently or within the prior 3 years, Joint Commission commissioners or employees. The President/CEO of JCR also serves on the JCR board, serving as a voting ex officio director.[Footnote 23] (See fig. 2.) Figure 2: Board Structure of JCR in Relation to the Joint Commission: [See PDF for image] Source: GAO analysis of Joint Commission and JCR documents. [End of figure] Directors we interviewed who serve on both the Joint Commission and JCR boards said that serving on the two boards has not been problematic because both organizations share the same mission. However, they also recognized the potential for overlapping board members to be faced with competing organizational interests if differences between the Joint Commission and JCR arise. These directors noted that, if competing organizational interests were to occur, the Joint Commission's reserve powers would dictate the final decision. The restructuring also affected the appointment of JCR officers. Prior to the restructuring, the President and the Chief Financial Officer (CFO) of the Joint Commission also served in those same positions for JCR. The CEO of JCR was appointed by, and reported to, the President of the Joint Commission, and could only appoint other JCR officers after consulting with the Joint Commission's President. Changes to JCR's bylaws through the 2003 restructuring removed the requirement that the Joint Commission's President and CFO serve in those positions for JCR. Rather, the Joint Commission appoints and has the power to remove the President/CEO of JCR. The President/CEO of JCR also now has the authority to appoint officers, such as the CFO, without consulting with the Joint Commission's President. In addition, the Joint Commission, rather than JCR's board, now appoints the vice chairman of JCR's board. One other noteworthy change as a result of the 2003 restructuring dealt with the role of two Joint Commission board committees in relation to JCR and the creation of a new JCR board committee. The Joint Commission created a Governance Committee, which has a number of responsibilities involving JCR, such as nominating JCR board directors and certain officers. This committee also has oversight responsibility for JCR governance issues and JCR conflict-of-interest policies, and reviews the bylaws and other documents of JCR. Further, the Joint Commission expanded the responsibilities of an existing committee--the Finance and Audit Committee--to include reviews of annual financial audits and other matters related to oversight of the firewall between the Joint Commission and JCR. Within the JCR board, a Firewall Oversight Committee was created as a result of the restructuring. This committee is charged with monitoring compliance with the firewall and related policies. The Joint Commission and JCR Provide Operational Assistance to One Another: The structure of the Joint Commission and JCR allows the two organizations to provide certain operational assistance to one another. The Joint Commission provides support and management services to JCR. Through a January 2001 service agreement, the Joint Commission provides JCR with financial, legal, marketing and public relations, human resources, accounting (bookkeeping and payroll), information technology, and other support services such as office management and mail.[Footnote 24] JCR pays for these services through a management fee.[Footnote 25] The methodology used to determine the appropriate allocation of expenses varies by department. For some departments, the allocation is based upon JCR's percentage of total revenues, whereas in other departments, the estimate is made using the amount of time spent doing work on behalf of JCR. Departments also vary in whether they include overhead costs in the allocation. Along with support services, the Joint Commission also provides management services to JCR through its General Counsel and Compliance Officer.[Footnote 26] For example, all JCR materials, including the publications it produces on behalf of the Joint Commission and materials produced for its own purposes, must be reviewed and approved by the Joint Commission's General Counsel prior to issuance. The Compliance Officer, a position created by the Joint Commission in 2005, oversees compliance duties for both the Joint Commission and JCR. Among other duties, the Compliance Officer is responsible for implementing, providing training on, and monitoring compliance with the firewall policies.[Footnote 27] The Compliance Officer reports directly to the President of the Joint Commission and President/CEO of JCR, the Joint Commission's Governance Committee, JCR's Firewall Oversight Committee, and may also report to the full boards of both organizations. The Compliance Officer is aided by a Compliance Council, which was created in late 2005 and consists of members who represent multiple departments from both the Joint Commission and JCR. The Council works with the Compliance Officer to develop an annual work plan that focuses on areas of greatest risk, recommended training, auditing, and measures of the compliance program's effectiveness. JCR also provides assistance to the Joint Commission, including publication and educational services. The Joint Commission transferred its publications and educational product lines to JCR in 2000 in order to combine support services within JCR and to allow for organizational separation between the Joint Commission's evaluation and accreditation function and the consultation and educational services provided by JCR. JCR currently offers a variety of educational programs regarding Joint Commission accreditation, including seminars, e-learning opportunities, and audio, satellite, and video conferences. These programs cover a range of topics and include information on the Joint Commission standards and changes to those standards. JCR also publishes its own books on health care issues and periodicals on patient safety and quality improvement. The operational services the Joint Commission and JCR provide to one another result in a flow of funds between the two organizations. In exchange for the license to publish Joint Commission materials, JCR pays the Joint Commission a royalty fee that ranges from 4.75 to 9.5 percent on gross sales. JCR also annually transmits assets to the Joint Commission in excess of the amount needed to operate JCR's business. The amount of the transfer is based on a formula that considers JCR's cash, investments, and average operating expense.[Footnote 28] The Joint Commission and JCR Have Taken Steps to Prevent the Improper Exchange of Facility-Specific Information: The Joint Commission and JCR have taken steps, primarily since 2003, designed to strengthen the firewall guidance initially developed in 1987, shortly after the creation of JCR. They have also further developed guidance addressing the relationship between the two organizations. In addition, they have made an effort to educate staff at both organizations on these matters and have enhanced monitoring of compliance with the firewall and related policies. The Joint Commission and JCR Have Policies Designed to Prevent the Sharing of Facility-specific Information: The Joint Commission and JCR firewall polices were initially developed as guidelines in 1987. Relatively few changes were made to these guidelines until 2003, when they were extensively modified. In addition, since 2003, the Joint Commission and JCR have developed other policies and guidance designed to further strengthen the firewall between the two organizations. Firewall Policies: Since 1987, shortly after the creation of JCR, both the Joint Commission and JCR have operated under a set of firewall guidelines designed to prevent conflicts of interest between the Joint Commission's accreditation activities and JCR's consultative services. Between 1987 and 2003, the firewall guidelines were modified twice-- once in 1992 and again in 1999--to reflect JCR's name change and other issues related to JCR services. In 2003, the Joint Commission and JCR made extensive modifications to the guidelines, which were released to staff in the form of policies in 2004.[Footnote 29] (See app. III for a list of key policies, guidelines, and protocols.) These modifications stemmed from the Joint Commission's review of its relationship with JCR following the passage of the Sarbanes-Oxley Act in 2002. According to senior staff from the Joint Commission and JCR, the revised firewall policies are not based on any specific model. However, they are a component of the two organizations' joint compliance program,[Footnote 30] which was developed in part using the hospital compliance program guidelines issued by HHS's Office of Inspector General. The stated purpose of both organizations' firewall policies is "to eliminate any real or perceived conflict of interest" between the Joint Commission's accreditation activities and JCR's consulting services. Certain requirements in the firewall policies of the two organizations are very similar, such as a prohibition on accessing confidential facility-specific information from, or sharing any facility-specific information with, staff from the other organization. (See app. IV for more information on the contents of each organization's firewall policies.) Joint Commission and JCR staff are also prohibited from suggesting that the use of JCR consulting services is necessary for, or will influence, Joint Commission accreditation decisions. In addition, staff and board members of both organizations are required to sign an annual statement signifying that they have read, and agree to comply with, the firewall policies. Of the 25 staff members we spoke with from the Joint Commission and JCR, all but 1 reported signing the required annual compliance statement and all but 4--2 from the Joint Commission and 2 from JCR--were aware that the firewall policy required them to sign this statement on an annual basis. While both organizations' firewall policies share similar requirements, each has certain provisions that focus specifically on the services offered by its own organization. For example, the Joint Commission's firewall policy stipulates that Joint Commission staff will not seek or solicit information on whether or not a facility has used JCR consulting services. The Joint Commission policy also provides guidance on how Joint Commission staff should respond to requests for consulting services. For example, if a facility asks Joint Commission surveyors for advice on these services, they are required to direct the facility to an appropriate senior staff member in the Joint Commission's central office. That senior staff member can provide limited information on JCR, including its services and the reason for its creation. JCR's firewall policy limits, among other things, the language JCR can use to promote its services. It also requires that JCR's consulting services staff be housed in separate facilities from Joint Commission staff and use separate telephone and computer systems.[Footnote 31] Most of the state hospital associations and hospitals we interviewed that use JCR's consulting services were familiar with the firewall between the Joint Commission and JCR. Of the five state hospital associations we interviewed that participate in JCR's CSR program, four said they were provided with information on the relationship between the Joint Commission and JCR or had been told by JCR staff about the firewall between the two organizations. Further, all five associations stated that JCR staff have never indicated that participation in the CSR program would affect the accreditation process, other than through the general improvements that are expected when using consulting services. Similarly, staff we interviewed at six hospitals that use JCR's consulting services stated that there had been no indication from JCR consultants that the use of these services would influence their facility's Joint Commission accreditation process. Additional Firewall-Related Policies and Guidance: In addition to the recent changes to the firewall policies, the Joint Commission and JCR developed other policies and guidance beginning in 2003 that further address possible areas of risk to the firewall. JCR formalized protocols for its consultants in the field, which provide specific guidance related to their interaction with the Joint Commission staff. For example, if Joint Commission staff members arrive at a facility to conduct a survey when a JCR consultant is on site, the JCR consultant must leave the facility immediately. In 2003, JCR also developed a policy--referred to as the "scope limitations policy"-- which is designed to clarify what services can be provided to Joint Commission-accredited facilities.[Footnote 32] The policy specifically prohibits JCR from providing certain consulting services to facilities after they have undergone a Joint Commission survey, including helping facilities challenge the Joint Commission's accreditation decisions or findings, resolving Joint Commission deficiency findings, or preparing facilities that have been denied Joint Commission accreditation for future surveys.[Footnote 33] In 2004, the Joint Commission developed an additional policy reiterating the importance of the firewall for those Joint Commission employees--information technology and planning and financial affairs staff--who, through the service agreement between the two organizations, need, and are able, to access JCR financial or operational information.[Footnote 34] In addition to the firewall compliance statement all Joint Commission staff are required to sign, these particular staff members are required to sign a separate compliance statement associated with this specific policy. Also in 2004, JCR approved a formal firewall policy related to JCR marketing materials in an effort to ensure that JCR marketing materials contain no implication that purchasing its products or services will impact the Joint Commission accreditation process.[Footnote 35] Because JCR markets some products that it develops on the Joint Commission's behalf--publications and educational services--as well as its consulting services, the marketing policy clarifies the language and logos that can be used on marketing materials for these different products. For example, while marketing materials for the Joint Commission accreditation manuals published by JCR can only carry the Joint Commission logo, JCR's marketing materials promoting its consulting services carry only the JCR logo. In 2006, the Joint Commission and JCR published posters, which are displayed in Joint Commission and JCR meeting rooms, to govern meetings that involve staff from both organizations. These posters reiterate the organizations' firewall policy requirements, in place since 1987, that facility-specific information should not be discussed at meetings that include staff from both organizations and such information cannot be included in materials prepared for those joint meetings. The posters also state that, if facility-specific information must be discussed for business purposes by staff from one organization, the staff from the other organization must leave the meeting. There are a number of occasions when Joint Commission and JCR staff interact during which these guidelines may be applicable. For example, both Joint Commission and JCR staff participate on internal interdepartmental teams designed to review Joint Commission programs and ensure they are valuable to health care organizations. Because these meetings include reviews of the programs' publication and education services--services provided by JCR--JCR staff participate on these teams. Another area of interaction is through educational programs offered by JCR. These programs may include training by Joint Commission surveyors and central office staff and may take place at the Joint Commission's headquarters. The Joint Commission and JCR have also developed a joint code of conduct[Footnote 36] and organization-specific conflict-of-interest policies that, while not focused exclusively on firewall issues, address aspects of the relationship between the two organizations and the independence of the accreditation process. In particular, the Joint Commission's conflict-of-interest policy prohibits staff from providing accreditation-related consulting and prohibits survey staff from surveying facilities to which they provided consulting services during the previous 3 years.[Footnote 37] Similarly, JCR's conflict-of- interest policy prohibits staff from providing external accreditation- related consulting services and prohibits JCR consultants from providing consulting services to any facility they may have surveyed in the past 3 years. The Joint Commission and JCR Have Taken Steps to Train Staff on, and Monitor, the Firewall: The Joint Commission and JCR report providing ongoing training to ensure that staff understand the firewall and related policies. The organizations have also developed mechanisms, primarily since 2003, that allow staff to report possible firewall violations. Both organizations report monitoring compliance with these policies on an ongoing basis and, in 2005, underwent a joint external review of their implementation. Staff Training on Firewall and Firewall-Related Policies: The Joint Commission and JCR reported that both board and staff members receive training on the firewall and related policies--board members are trained when they join the board and staff are trained during new employee orientation. In addition, Joint Commission and JCR staff receive annual training on the firewall and related policies and procedures and are further reminded of these policies through periodic presentations at departmental staff meetings. As of June 2006, the organizations' staff training did not include a testing component to measure how well staff understand the policies.[Footnote 38] However, most staff members and senior staff we spoke with at both organizations were aware of the firewall policies and were able to accurately describe their purpose. All but 1 of the 25 staff members we spoke with--13 with the Joint Commission and 12 with JCR--reported being familiar with these policies. In addition, all but 1 of the 24 staff members who were familiar with the firewall policies stated that the training and information they received made them sufficiently aware of the firewall and its appropriate implementation. None of the 25 staff members we spoke with were aware of cases in which staff from either organization had suggested that the use of JCR consulting services would influence Joint Commission accreditation. In addition to training sessions, staff members at the Joint Commission and JCR have access to information on the compliance program through an intranet Web site.[Footnote 39] This site includes copies of the organizations' respective firewall policies and other compliance- related materials, as well as information on the role of the organizations' joint Compliance Officer and Compliance Council. Mechanisms for Reporting Violations: The firewall policies for both organizations require employees to report violations to their management, the Compliance Officer, or the Joint Commission General Counsel. In keeping with this requirement, senior Joint Commission and JCR management stated that they encourage employees to contact their supervisors or these other management officers if they are aware of possible violations or have questions on the firewall. Of the 24 staff members we interviewed at both organizations who were familiar with the firewall policies, 20 indicated that if they became aware of a violation, they would contact another staff member, such as their direct supervisor, division head, or the Compliance Officer. The Joint Commission and JCR have also developed a compliance hotline that allows staff to anonymously report any concerns related to compliance issues. While the firewall policies require employees to report violations to certain staff, this hotline offers another means of reporting possible firewall violations.[Footnote 40] From its inception in March 2005 through December 2005, the hotline received three calls, none of which involved a firewall violation.[Footnote 41] All 24 of the Joint Commission and JCR staff members we spoke with who were familiar with the firewall policies reported being aware of the compliance hotline. Of those staff members, 6 stated that they would contact the hotline if they became aware of a firewall violation. Monitoring of Firewall and Related Policies: The Joint Commission and JCR staff report taking multiple steps to monitor implementation of, and compliance with, the firewall and related policies. The organizations have created the Compliance Officer position, the Compliance Council, and the JCR Firewall Oversight Committee, all of which have a role in monitoring compliance with the firewall and related policies. According to Joint Commission and JCR staff, the firewall policies have been monitored internally on an ongoing basis and are now subject to external reviews. The Joint Commission conducted an internal review in 2002, which was presented to the Joint Commission and JCR boards in 2003. The 2004 and 2005 firewall policies for both organizations called for an annual audit of the policy by the Joint Commission's Office of Legal Affairs, but these audits were not conducted. According to senior Joint Commission staff, the Joint Commission determined that its legal department could not conduct a sufficient audit and that instead, the audits should be conducted by an external body with experience in this area. In 2005, the Joint Commission and JCR hired a consulting firm to conduct the first external review of the organizations' firewall policies and related guidance. Following this review, in 2006, the requirement for an annual audit by the Office of Legal affairs was deleted and was replaced with a requirement for an annual review, the results of which are presented to the appropriate committees of each board. According to Joint Commission staff, the Joint Commission and JCR anticipate continuing to contract for an external review of the firewall on an annual basis. The external review conducted in 2005 did not identify any major violations of either organization's firewall policy--violations that could potentially breach the integrity of the accreditation process. In its report, the consulting firm stated that the implementation of the firewall policies "represented a reasonable effort to prevent any behavior that could result in a breach of the integrity of the accreditation process." However, because no guidelines or standards exist for this kind of review, the consulting firm did not certify that the firewall and related policies protected the integrity of the accreditation process. The external review did identify some minor violations of the firewall- -defined as violations that resulted from the staff's failure to completely follow operational procedures required by the policies, but which are not considered to potentially breach the integrity of the accreditation process. For example, at the time of the 2005 review, JCR publications and education staff housed in the Joint Commission offices had access to a Joint Commission shared network folder on a computer drive. While this shared folder could not be accessed by JCR consulting staff and Joint Commission surveyors used a separate network, the consulting firm recommended eliminating JCR staff access. The Joint Commission and JCR agreed with this and other recommendations made, and report taking steps to address the issues, including eliminating JCR's access to Joint Commission computer systems.[Footnote 42] In addition to this external review, the Joint Commission reported that, throughout the year, the Compliance Officer monitors concerns and questions related to the firewall and related policies. Based on this analysis, the organizations review the policies to determine what, if any, changes need to be made to improve their clarity. In 2006, the Compliance Officer developed a list of commonly asked questions and answers, which was approved by the senior management of both organizations and released to staff. According to the Compliance Officer, when minor firewall violations are identified, each instance is reviewed to determine if it had any impact on the accreditation decision process and if it was due to a lack of understanding of the policies or was an intentional violation. She will then either provide clarification, counseling, or, if necessary, initiate disciplinary action, including possible dismissal, through the human resources department. As of July, 2006, no Joint Commission or JCR staff had been terminated as a result of violating the firewall policies. However, a senior staff member at the Joint Commission reported that staff have been terminated for violating the Joint Commission's conflict-of-interest policies. This staff member noted that two of the organization's surveyors had been fired for providing consulting services, although these services were not provided to facilities they had previously surveyed. Concluding Observations: Accreditation is a key mechanism to ensure the safety and quality of hospital services provided to Medicare beneficiaries and other members of the public. The Joint Commission's role in accrediting the majority of hospitals participating in Medicare makes the issue of ensuring the independence of the Joint Commission's accreditation process vitally important. Any threat to the independence of the accreditation process could undermine its ability to ensure the safety and quality of services provided to Medicare beneficiaries and the general public. The Joint Commission and JCR have taken steps to protect the Joint Commission's accreditation process from influence by JCR's consulting services by developing mechanisms to protect against the improper sharing of facility-specific information. However, the majority of these mechanisms, including the firewall and firewall-related policies, the compliance hotline, and the annual external review of the firewall, have either been developed or significantly revised within the past few years--primarily since 2003. The next step is for management of both organizations to assure that these mechanisms are sufficient to protect the integrity of the accreditation process. In addition, even with appropriate policies and procedures in place, it will take ongoing monitoring and a concerted effort on the part of the leadership of both organizations to ensure that these policies and procedures are appropriately implemented by both their board and staff members. Agency Comments: We provided a draft of this report to the Joint Commission and CMS for comment. In its response, the Joint Commission agreed with our concluding observations, specifically that ensuring the independence of the accreditation process is vitally important. It indicated that the report accurately reflects its relationship with JCR, and emphasized that its highest priority is to preserve the integrity of the Joint Commission's accreditation process. (The Joint Commission's written comments are reprinted in app. V.) CMS did not comment on our findings or concluding observations. Both the Joint Commission and CMS provided us with technical comments, which we incorporated as appropriate. As we agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution of this letter until 30 days after the date of this letter. At that time, we will send copies to the Administrator of CMS, appropriate congressional committees, and other interested parties. In addition, the report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (312) 220-7600 or aronovitzl@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix VI. Signed by: Leslie G. Aronovitz: Director, Health Care: [End of section] Appendix I: Scope and Methodology: We examined the relationship between the Joint Commission on Accreditation of Healthcare Organizations (Joint Commission) and Joint Commission Resources, Inc. (JCR) as it relates to the independence of the Joint Commissions' hospital accreditation process from JCR's hospital consulting services. To provide information on the governance structure and operations of the two organizations, we reviewed multiple documents, including organizational charts reflecting the organizations' structure as of 2006, a service agreement signed in 2001 and still in effect as of 2006, Internal Revenue Service tax documents from calendar years 2001 through 2004, and agendas and minutes from board meetings of both organizations from 2003 through September 2006.[Footnote 43] We also interviewed the President of the Joint Commission and the President/Chief Executive Officer of JCR, as well as officers from the Joint Commission Board of Commissioners and the JCR Board of Directors. In addition, we interviewed senior staff at both organizations, including the organizations' General Counsel, each organization's Chief Financial Officer, and the Joint Commission's Vice President for Human Resources. To describe the policies the Joint Commission and JCR have developed to prevent the improper sharing of facility-specific information, we reviewed Joint Commission and JCR documents, including current and past policies and guidance related, either directly or indirectly, to the firewall. We also examined training materials and reports from the compliance hotline contractor. We conducted interviews with senior staff from the Joint Commission and JCR. These senior staff included the shared Corporate Compliance and Privacy Officer, the Joint Commission's Vice President of Accreditation Services, and the Executive Directors of JCR's consulting services. In addition to interviews with senior staff, we selected a sample of 15 staff members at each organization to interview. These semistructured interviews were designed to collect information on Joint Commission and JCR staff members' understanding of the firewall and related guidance, their training on this guidance, and their awareness of possible firewall violations. Our selection of staff members concentrated on those who were JCR consultants and Joint Commission staff conducting surveys or working in the areas of information technology, planning and financial affairs, and marketing. We considered these particular staff members more likely to be in a position to breach the firewall than other employees. We selected staff using random lists of JCR consultants, Joint Commission hospital surveyors, and employees from the information technology, planning and financial affairs, and marketing departments, as well as a random list of employees from all other areas at each organization. Selected staff were contacted by phone and e-mail. If, after three attempted phone calls and one e-mail, staff did not respond to our request for an interview we moved to the next staff member identified in our random selection.[Footnote 44] We were able to conduct a total of 25 interviews with Joint Commission and JCR staff. We were unable to arrange interviews with 2 Joint Commission surveyors and 3 JCR consultants. We excluded any Joint Commission survey staff who were not hospital surveyors, JCR staff who provided only international services, senior staff at both organizations who we had already interviewed, and Joint Commission staff acting as liaisons to our work. The information gathered from these interviews reflects the experience of these staff members and cannot be generalized to all Joint Commission or JCR staff. While the interviews provide information on staff awareness of the firewall policies and related guidance, as well as their awareness of possible firewall violations, they are not sufficient to determine if there have or have not been any firewall violations. We also conducted interviews with officials from a random sample of 5 of the 14 state hospital associations that participated in JCR's Continuous Service Readiness (CSR) program as of May 2006, and with officials from 5 state hospital associations that do not participate in the CSR program. These interviews were designed to obtain information on the associations' understanding of the relationship between the Joint Commission and JCR and how they perceived that their participation in the CSR program might impact their members' Joint Commission accreditation. To select the sample for these interviews, we sorted the associations by census regions. We then selected a random sample of associations that participate in the CSR program and a random sample of those that do not from within each census region. We conducted semistructured interviews with each of the selected associations. One state hospital association did not respond to our request for an interview. In this case, we replaced that association with the next association in the same census region identified in our random selection. We also conducted interviews with officials from 6 hospitals that use JCR's consulting services to learn more about their understanding of the relationship between JCR and the Joint Commission. To conduct these interviews, we determined the number of hospitals that had contracted with JCR for these services in calendar year 2005. JCR compiled a spreadsheet that contained e-mail addresses for JCR's 2005 domestic hospital clients. We identified a random sample of JCR's hospital clients and JCR sent these hospitals an e-mail asking them to contact us if they were willing to be interviewed. We selected our sample of approximately 10 percent of that population--80 facilities--using a randomly generated number list. This selection was done at the JCR offices and the e-mails were sent to hospital facilities under our supervision. Facilities were given 2 weeks to contact us to schedule interviews if they were interested. The information gathered from these interviews with JCR hospital clients and the interviews with state hospital associations reflects the experience of these particular facilities and state hospital associations and cannot be generalized to all JCR consulting clients. As part of our work, we also interviewed staff at the Department of Health and Human Services' Centers for Medicare & Medicaid Services to obtain information on their oversight of the Joint Commission and other accreditation organizations. In addition, we interviewed officials from multiple organizations and reviewed documents to obtain background information on possible criteria or best practices related to the governance of nonprofit organizations, conflicts of interest, compliance programs, and independence standards. Those we interviewed included officials at Independent Sector--a coalition of charities, foundations, and corporate giving programs which focuses on strengthening these particular types of organizations--and the Hauser Center for Nonprofit Organizations--a research center at Harvard University focusing on the nonprofit sector. We also interviewed officials from federal agencies and organizations to obtain information on how they separate accreditation or certification programs from consulting services. Those we interviewed included representatives from the Department of Education, the Council on Higher Education Accreditation, and the National Organization for Competency Assurance.[Footnote 45] Because the Joint Commission's status related to Medicare applies only to hospitals, our review was limited to information related to its accreditation of hospitals and services provided by JCR to hospitals. We did not conduct a review of the Joint Commission's accreditation decision process. We also did not review information on other activities conducted by the Joint Commission or JCR that were not related to the relationship between the Joint Commission's hospital accreditation process and JCR's hospital consulting services. Further, we excluded Joint Commission International, a division of JCR that provides consulting and accreditation services to foreign health care facilities, from the scope of our work because these facilities are not eligible to participate in the Medicare program. We conducted our work from October 2005 to December 2006 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Timeline of Key Developments in the Organizations' Relationship: [See PDF for Image] Source: GAO analysis of Joint Commission and JCR resources. [End of Figure] [End of section] Appendix III: Policies, Protocols, and Guidelines Related to the Firewall, as of 2006: Joint Commission Policies. Firewall specific; * Firewall policy; Designed to eliminate any real or perceived conflict of interest between the Joint Commission accreditation activities and JCR's consulting services. Provides specific direction to Joint Commission staff on their interaction with JCR staff and services. This policy applies to all Joint Commission staff; * Firewall policy for planning and financial affairs and information technology staff; Reinforces the Joint Commission Firewall Policies and applies specifically to Planning and Financial Affairs and Information Technology Staff who provide support services to JCR. Non-firewall specific; * Conflict-of- interest policy; Prohibits involvement in activities that might constitute or be perceived to constitute a conflict of interest with the overall mission of the Joint Commission. Requires staff to abide by the Joint Commission's firewall policy and prohibits the disclosure of confidential or proprietary information. Prohibits Joint Commission staff from providing accreditation-related consulting services. Prohibits Joint Commission staff from surveying facilities to which they provided consulting or related services during the previous 3 years. JCR Policies and Protocols. Firewall specific; * Firewall policy; Designed to eliminate any real or perceived conflict of interest between the Joint Commission accreditation activities and JCR's consulting services. Provides specific direction to JCR staff on their interaction with Joint Commission staff and services. This policy applies to all JCR staff; * JCR marketing firewall policy; Provides requirements for marketing strategies to protect the integrity of the Joint Commission accreditation process and ensure that materials contain no implication that purchasing products or services from JCR will impact accreditation decisions; * Protocols for JCR field staff; Provides specific direction to JCR consultants in the field, including their interaction with the Joint Commission staff; * JCR scope limitations policy; Delineates certain consulting services that cannot be provided to Joint Commission-accredited organizations, including assistance in preparing challenges to accreditation decisions, resolving Joint Commission deficiency findings, preparing root-cause analysis for sentinel events, and preparing organizations that have been denied Joint Commission accreditation for future surveys. Non-firewall specific; * Conflict-of-interest policy; Prohibits involvement in activities that might constitute or be perceived to constitute a conflict of interest with the mission of JCR and the Joint Commission. Requires staff to abide by JCR's firewall policy and prohibits the disclosure of confidential or proprietary information. Prohibits JCR staff, in most cases, from providing outside consulting services. Prohibits JCR consultants from providing consulting services to facilities they have surveyed in the past 3 years. Combined Joint Commission and JCR Policies and Guidelines. Firewall specific; * Combined meeting guidelines poster; Guides conduct in meetings that include both Joint Commission and JCR staff, reiterating that organization-specific or nonpublic accreditation or survey process information should not be discussed and, if business needs dictate that organization-specific information be shared, stating that appropriate staff must excuse themselves. Non-firewall specific; * Code of conduct; Provides guidance on standards for staff conduct and the confidentiality of information, including mechanisms in place to help staff report violations of the code of conduct. Source: GAO analysis of Joint Commission on Accreditation of Healthcare Organizations and Joint Commission Resources, Inc. documents. [End of table] [End of section] Appendix IV: Elements of the Firewall Policies, as of 2006: Elements unique to Joint Commission firewall policy: * Staff may not seek or solicit information on whether or not a facility has used JCR and is not provided this information by the Joint Commission or JCR representatives; * Survey teams are instructed that participation in JCR's Continuous Service Readiness program (CSR) is not considered in the accreditation process; * Joint Commission surveyors may not discuss any survey assignments, or possible assignments, with any JCR consulting staff; * Joint Commission surveyors are instructed that survey report forms may not include information on whether or not the surveyed organization has used JCR's services; * A list of current JCR staff is provided to the Joint Commission Historical File Room staff to allow them to monitor access.[A]; * Certain staff who have access to JCR financial and operational information as part of their role in providing services to JCR may not disclose JCR organization-specific information to other Joint Commission staff; * JCR publishes the Joint Commission's accreditation materials and supplies their educational services. These services are promoted in Joint Commission and JCR materials. Any reference in Joint Commission materials to JCR's consulting services is generally limited to acknowledging JCR's existence, its services, and the reason for its creation; * Facilities asking for information on consulting services are referred to the Joint Commission's central office. Staff at the central office will refer to the availability of JCR's services, and will also emphasize the separateness of the Joint Commission's accreditation process from JCR's consulting services; * The firewall policy is posted on the surveyor Web site. Elements common to both Joint Commission and JCR firewall policies: * Staff may not suggest that the use of JCR consulting services is necessary to obtain or influence Joint Commission accreditation; * Staff may not access confidential facility-specific information from, or share facility-specific information with, the other organization; * JCR staff may not access the Joint Commission's Historical File Room.[A]; * Staff at JCR may not access information about the application of the Joint Commission standards or accreditation procedures that is not already available, or will be made available promptly, to outside parties; * JCR staff may not attend Joint Commission surveyor training and may not have access to surveyor educational tools not generally available to outside parties; * All staff must sign a compliance statement on an annual basis.[B]; * The firewall policy is sent annually to all staff, and is referenced in each organization's conflict-of-interest policies, which staff are also required to sign on an annual basis.[B]; * The firewall policy is covered during new employee orientation and training; * Staff must report any violation of their organization's firewall policy to the Compliance Officer, the Joint Commission General Counsel, or their organization's management; * An annual review is conducted to ensure appropriate separation between the Joint Commission accreditation activities and JCR consulting services and the results are presented to the relevant board committees. Elements unique to JCR firewall policy: * Facilities using JCR's consulting services are informed that the Joint Commission is not told that the facility used JCR's services and a disclaimer to this effect is included in JCR contracts; * Participants in JCR's CSR program are informed that Joint Commission survey teams are told that CSR participation is not considered in the accreditation process; * JCR consultants may not communicate with surveyors about specific facility accreditation decisions, may not in any way participate in the accreditation process as a representative of the facility, and may not discuss the choice of surveyors for particular facilities with the Joint Commission; * All JCR promotional materials related to consulting services are reviewed by the Joint Commission Office of Legal Affairs; * JCR consulting services maintain separate offices, telephone numbers, and computer systems from the Joint Commission; * JCR promotional materials are limited to identifying JCR as a nonprofit affiliate of the Joint Commission and the separateness between accreditation decisions and JCR's services should be identified. Source: GAO analysis of Joint Commission on Accreditation of Healthcare Organizations and Joint Commission Resources, Inc. documents. [A] The Historical File Room is a secured space at the Joint Commission offices in Oakbrook Terrace, Illinois. [B] Staff are required to sign compliance statements signifying that they have read, and agree to comply with, both the firewall policy and conflict-of-interest policy that apply to their specific organization. [End of table] [End of section] Appendix V: Comments from the Joint Commission on Accreditation of Healthcare Organizations: Joint Commission: Setting the Standard for Quality in Health Care: November 27, 2006: Mr. David Walker: Comptroller General: Government Accountability Office: 441 G Street, N.W. Washington, DC: Dear Mr. Walker: The Joint Commission appreciates the opportunity to comment on the Government Accountability Office (GAO) draft report Hospital Accreditation: Joint Commission on Accreditation of Healthcare Organizations' Relationship with its Affiliate (GAO-07-79). Soliciting the views of entities that are the subject of your reviews helps to ensure accuracy and provide context for these assessments. In the present examination, the Joint Commission believes that the GAO has conducted a comprehensive and thorough study of the relationship between the Joint Commission on Accreditation of Healthcare Organizations (Joint Commission) and its affiliate, Joint Commission Resources (JCR) and the steps both organizations have taken to prevent the improper sharing of accreditation and consulting information with each other. Our highest priority has been, and continues to be, the preservation of the integrity of the Joint Commission's accreditation process. As noted in the report, the Joint Commission and JCR share a common goal to continuously improve the safety and quality of health care. Although each organization operationalizes its specific mission differently, this common purpose informs the activities and initiatives of both organizations. The careful coordination of these complementary efforts-both at the governance and operations levels-permits us each to optimize our respective capabilities, while also preserving the integrity of the Joint Commission's accreditation process. The Joint Commission agrees with GAO's conclusion that ensuring the independence of the Joint Commission's accreditation process is vitally important to safeguarding the safety and quality of hospital services provided to Medicare beneficiaries and other members of the public. The Joint Commission and JCR are both staunchly committed to this priority, as reflected by the elaborate firewall and related mechanisms that have been created and, as detailed in the report, are effectively functioning to prevent the improper sharing of facility-specific information between the two entities. These mechanisms will continue to be closely monitored and assessed on an ongoing basis to ensure they are operating as intended and refined as needed. Again, the Joint Commission would like to express its thanks for the opportunity to review and comment on this draft report and to provide technical comments. The later are provided as an attachment to this letter. If you have any questions concerning these comments, please contact Trisha Kurtz, Director of Federal Relations, at 202.783.6655. Sincerely, Signed by: Dennis S. O'Leary, M.D. President: Joint Commission: Signed by: Karen H. Timmons: President and CEO: Joint Commission Resources: [End of section] Appendix VI: GAO Contact and Staff Acknowledgments: GAO Contact: Leslie G. Aronovitz, (312) 220-7600 or aronovitzl@gao.gov: Acknowledgments: In addition to the person named above, Geraldine Redican-Bigott, Assistant Director; Emily Gamble Gardiner, Thomas Han, Kevin Milne, Daniel Ries, Janet Rosenblad, and Jessica Cobert Smith made key contributions to this report. FOOTNOTES [1] Accreditation is an assessment process by which an organization's performance is measured against certain standards defined by industry experts. [2] Hospitals accredited by the Joint Commission are deemed to be in compliance with all of the Medicare conditions except three. These three conditions are related to hospital utilization reviews, certain psychiatric hospital staffing and records standards, and any standards that CMS, after consulting with the Joint Commission, identifies as being higher or more precise than the Joint Commission's accreditation standards. See 42 C.F.R. § 488.5 (2005). [3] Hospitals may also demonstrate compliance through accreditation from the American Osteopathic Association or by applying to CMS for a review to determine whether they satisfy the conditions of participation. A review by CMS is typically conducted by a state agency under contract with CMS. [4] See 42 U.S.C. § 1395bb(a) (2000); see also 42 C.F.R. § 488.5 (2005). [5] JCR was known as Quality Healthcare Resources until 1998, when its name was changed. [6] The Joint Commission and JCR have used the terms "affiliate" and "subsidiary" interchangeably to describe JCR. For purposes of this report, we refer to JCR as an "affiliate." In a "controlled" affiliate, the affiliate is a separate legal entity, but the parent organization has authority over the affiliate's activities. [7] For the purposes of this report, when we refer to facility-specific information, we are referring to information on hospital facilities only. The Joint Commission's status in statute as an approved accreditation organization for Medicare purposes extends only to hospitals. Therefore we excluded other types of facilities accredited by the Joint Commission from our work. [8] We excluded Joint Commission International, a division of JCR that provides consulting and accreditation services to foreign health care facilities, from the scope of our work because these facilities are not eligible to participate in the Medicare program. [9] Among others, we spoke with officials at the United States Department of Education, the Council on Higher Education Accreditation, Independent Sector, and the National Center for Nonprofit Enterprise. [10] The other founding members of the Joint Commission were the American College of Physicians, the American Medical Association, and the Canadian Medical Association. In 1959, the Canadian Medical Association withdrew to form its own accreditation body in Canada. The American Dental Association joined the Joint Commission as a member in 1979. [11] Organizations volunteered for unannounced surveys in 2004 and 2005, and all surveys (with certain exceptions, such as prison hospitals) became unannounced effective January 1, 2006. [12] Previously housed at the Joint Commission, the CSR program was also transferred to JCR in 2000. JCR also expanded its services to include international accreditation activities through Joint Commission International, which is a division of JCR that provides consulting and accreditation services to foreign health care facilities. The activities of Joint Commission International are beyond the scope of this work. [13] In our 2004 report, we suggested that Congress consider giving CMS the authority over the Joint Commission's hospital accreditation program that it has over other accreditation programs. We also recommended that CMS modify its methods for assessing the Joint Commission's performance. For more information, see GAO, Medicare: CMS Needs Additional Authority to Adequately Oversee Patient Safety in Hospitals, GAO-04-850 (Washington, D.C.: July 20, 2004). [14] Pub. L. No. 107-204, 116 Stat. 745. [15] Compliance programs are designed to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements. [16] Federal Sentencing Guidelines have been developed both for individuals and for organizations. The Sentencing Guidelines for organizations provide for reduced sentences for federal crimes if the organization demonstrates adherence to certain elements that demonstrate an effective compliance program. [17] The HHS Office of Inspector General Compliance Program Guidance for Hospitals is intended to help health care facilities promote adherence with laws and regulations, as well as with ethical and business policies. This guidance recommends the inclusion of several elements in a compliance program, such as the development of written policies and procedures, a compliance officer and compliance council, a hotline for staff to report violations, and ongoing staff training. While these guidelines were not developed for accreditation bodies, the Joint Commission used this framework when developing its compliance program. [18] See, e.g., 12A Fletcher Cyclopedia Corporations § 5687 (Perm. Ed.) [19] The laws related to the organization of nonprofit corporations may vary by state. Both the Joint Commission and JCR were organized under the laws of the State of Illinois and are subject to its laws. See 805 ILCS 105/107.03 (f)(2004). [20] The bylaws of JCR indicate that the sole member shall have the reserve powers listed in the bylaws in lieu of reserve powers that would be otherwise provided by applicable statute. [21] See Dana Brakman Reiser, "Decision-Makers Without Duties: Defining the Duties of Parent Corporations Acting as Sole Corporate Members in Nonprofit Health Care Systems," Rutgers L. Rev. 53 (2001): 991. [22] "Ex officio" means that "by right of their office" these officers are able to serve on the board. [23] The previously separate officer positions of President and CEO of JCR were combined into the single position of President/CEO following the restructuring of JCR in 2003. [24] In general, an affiliate may contract with a parent organization for support services as long as the transactions are considered reasonable for both organizations at the time they enter into the agreement. To maintain the affiliate's status as a separate legal entity, certain formalities should be followed, such as the affiliate maintaining separate bank accounts and records, and being responsible for its own corporate filing requirements. JCR maintains its own separate bank account and records and handles its own corporate filing requirements. [25] The management fee paid by JCR is considered a related party transaction--a transaction between related parties such as controlled entities, principal stockholders, or management. It has no net effect on, and is eliminated from, the Joint Commission's consolidated financial statements. [26] JCR's board decided to retain external counsel in 2005 to represent its interests. [27] In addition to issues related to the firewall policies, the Compliance Officer is responsible for oversight of other compliance issues, such as unethical conduct. Such conduct may include employee harassment, divulging protected health information, and abuse of organizational resources. [28] Between January and September of 2005, royalty fees paid by JCR to the Joint Commission totaled $713,825 and the management fee JCR paid for support services totaled $2,648,646. In 2004, JCR paid $3,249,862 of excess net assets to the Joint Commission. Net assets of a nonprofit affiliate may be transferred to its nonprofit parent organization. Like the management fee JCR pays the Joint Commission, the royalty fees are considered a related party transaction and are eliminated from the Joint Commission's consolidated financial statements. [29] The policies were effective January 1, 2004, and were modified in 2005 and 2006. [30] The Joint Commission and JCR compliance program is overseen by the organizations' Compliance Officer, and focuses on preventing violations of law and unethical conduct and investigating and responding to allegations of violations. The Compliance Program addresses a variety of issues, including confidentiality issues, fraud, and conflicts of interest, as well as issues related to the organizations' firewall. [31] While some JCR publications and education staff are co-located with Joint Commission staff, all JCR consulting services staff are either housed at the separate JCR offices or are based throughout the country. [32] This policy went into effect January 1, 2004. [33] If JCR has provided consulting services to a facility within the facility's current Joint Commission accreditation period, JCR may review and comment on documents the facility has prepared for the Joint Commission. However, in these cases, JCR may not charge a fee for these services. According to 2005 meeting minutes, JCR's firewall oversight committee may review the scope limitations policy to address recent changes in the Joint Commission survey process. [34] This policy is referred to as the "firewall policy for planning and financial affairs and information technology staff." [35] Guidelines related to the marketing of JCR services were developed in 2003. [36] The code of conduct provides general information on acceptable staff behavior and the confidentiality of information, as well as information on mechanisms for reporting violations. [37] Prior to January 2004, Joint Commission surveyors were allowed to provide consulting services. Until that time, some surveyors also worked as JCR consultants, while others worked as independent contractors. [38] The Joint Commission reported that a testing component was added to its staff training program in late 2006 and that it will be expanded in 2007. [39] Facility-specific information is not available through this site. [40] The hotline is available 24 hours per day, 7 days a week and is operated by a contractor. When a call is received, the hotline operator takes information on the caller's concern and, at the end of the call, provides the caller with a report number that can be used when following up with the hotline. Within 24 hours of receiving a call, hotline staff are required to prepare a report on the call and submit that report to the Compliance Officer and other specified staff. The Compliance Officer is then charged with investigating any reported issue. [41] According to Joint Commission staff, two of these calls were from staff confirming the hotline's existence. The third call concerned a complaint about a specific facility. This call should have been made to another Joint Commission hotline that allows members of the public to report complaints about specific facilities. [42] Among the other recommendations made by the consultant were recommendations to develop guidelines for meetings involving staff from both organizations, require board members from both organizations to sign the annual firewall compliance statement, and modify the firewall policy to reflect that the Joint Commission Office of Legal Affairs was not conducting annual audits of the organizations' firewalls. [43] JCR's Firewall Oversight Committee was not formed until 2004; therefore, we reviewed the agendas and meeting minutes from 2004 through September 2006. [44] E-mail addresses were not available for certain staff members. In these cases, staff were contacted by phone four times. [45] The Council on Higher Education Accreditation is an association of colleges and universities which certifies institutional accrediting organizations. The National Organization for Competency Assurance includes the National Commission for Certifying Agencies, which accredits certification programs for a variety of professions. GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to www.gao.gov and select "Subscribe to Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, D.C. 20548: Public Affairs: Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: