Hospital Accreditation: Joint Commission on Accreditation of	 
Healthcare Organizations' Relationship with Its Affiliate	 
(15-DEC-06, GAO-07-79). 					 
                                                                 
Hospitals must meet certain conditions of participation 	 
established by the Centers for Medicare & Medicaid Services (CMS)
in order to receive Medicare payments. In 2003, most		 
hospitals--over 80 percent--demonstrated compliance with most of 
these conditions through accreditation from the Joint Commission 
on Accreditation of Healthcare Organizations (Joint Commission). 
Established in 1986, Joint Commission Resources, Inc. (JCR), a	 
nonprofit affiliate of the Joint Commission, provides		 
consultative technical assistance services to hospitals. Both	 
organizations acknowledge the need to ensure that JCR's services 
do not--and are not perceived to--affect the independence of the 
Joint Commission's accreditation process. GAO was asked to	 
provide information on the relationship between the Joint	 
Commission and JCR. This report describes (1) their		 
organizational relationship, and (2) the significant steps they  
have taken to prevent the improper sharing of information,	 
obtained through their accreditation and consulting activities,  
respectively, since JCR was established. GAO reviewed pertinent  
documents, including conflict-of-interest policies and		 
information about the organizations' financial relationship, and 
interviewed staff and board members from both organizations, JCR 
clients, and CMS officials.					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-79						        
    ACCNO:   A64185						        
  TITLE:     Hospital Accreditation: Joint Commission on Accreditation
of Healthcare Organizations' Relationship with Its Affiliate	 
     DATE:   12/15/2006 
  SUBJECT:   Agency protocols					 
	     Consultants					 
	     Firewalls						 
	     Health care facilities				 
	     Health resources utilization			 
	     Hospitals						 
	     Information disclosure				 
	     Institution accreditation				 
	     Internal controls					 
	     Policy evaluation					 
	     Program evaluation 				 
	     Reporting requirements				 
	     Government agency oversight			 
	     Policies and procedures				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-79

   

     * [1]Results in Brief
     * [2]Background
     * [3]The Joint Commission Has a Close Relationship with JCR throu

          * [4]The Joint Commission Has Substantial Control over JCR throug
          * [5]The Joint Commission and JCR Provide Operational Assistance

     * [6]The Joint Commission and JCR Have Taken Steps to Prevent the

          * [7]The Joint Commission and JCR Have Policies Designed to Preve

               * [8]Firewall Policies

          * [9]Additional Firewall-Related Policies and Guidance
          * [10]The Joint Commission and JCR Have Taken Steps to Train Staff

               * [11]Staff Training on Firewall and Firewall-Related Policies
               * [12]Mechanisms for Reporting Violations
               * [13]Monitoring of Firewall and Related Policies

     * [14]Concluding Observations
     * [15]Agency Comments
     * [16]GAO Contact
     * [17]Acknowledgments
     * [18]GAO's Mission
     * [19]Obtaining Copies of GAO Reports and Testimony

          * [20]Order by Mail or Phone

     * [21]To Report Fraud, Waste, and Abuse in Federal Programs
     * [22]Congressional Relations
     * [23]Public Affairs

Report to Congressional Requesters

United States Government Accountability Office

GAO

December 2006

HOSPITAL ACCREDITATION

Joint Commission on Accreditation of Healthcare Organizations'
Relationship with Its Affiliate

GAO-07-79

Contents

Letter 1

Results in Brief 4
Background 5
The Joint Commission Has a Close Relationship with JCR through Their
Governance Structure and Operations 9
The Joint Commission and JCR Have Taken Steps to Prevent the Improper
Exchange of Facility-Specific Information 15
Concluding Observations 23
Agency Comments 24
Appendix I Scope and Methodology 26
Appendix II Timeline of Key Developments in the Organizations'
Relationship 30
Appendix III Policies, Protocols, and Guidelines Related to the Firewall,
as of 2006 31
Appendix IV Elements of the Firewall Policies, as of 2006 33
Appendix V Comments from the Joint Commission on Accreditation of
Healthcare Organizations 35
Appendix VI GAO Contact and Staff Acknowledgments 37

Table

Table 1: Joint Commission's Powers Over JCR Enumerated in JCR Bylaws 11

Figures

Figure 1: Relationship between the Joint Commission, JCR, and Hospitals 7
Figure 2: Board Structure of JCR in Relation to the Joint Commission 12

Abbreviations

CEO Chief Executive Officer CFO Chief Financial Officer CMS Centers for
Medicare & Medicaid Services CSR Continuous Service Readiness HHS
Department of Health and Human Services JCR Joint Commission Resources,
Inc.

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office

Washington, DC 20548

December 15, 2006

The Honorable Charles E. Grassley
Chairman
Committee on Financ
United Senate

The Honorable Pete Stark
Ranking Minority Member
Subcommittee on Health
Committee on Ways and Means
House of Representatives

In order to be eligible to receive payments from Medicare--the federal
program that provides health care benefits to over 42 million elderly and
disabled beneficiaries--hospitals must meet certain criteria established
by federal law. The Centers for Medicare & Medicaid Services (CMS), the
federal agency within the Department of Health and Human Services (HHS)
that administers Medicare, has established conditions of participation
that hospitals must meet to be eligible to participate in the Medicare
program. The Joint Commission on Accreditation of Healthcare Organizations
(Joint Commission), a nonprofit corporation, has developed its own
accreditation standards that are intended to meet or exceed Medicare's
conditions of participation.^1 Hospitals accredited by the Joint
Commission are, in general, deemed to meet most of the conditions to be
eligible for Medicare payment.^2 In 2003, most hospitals--over 80
percent--demonstrated that they met the applicable conditions of
participation through accreditation from the Joint Commission.^3

^1Accreditation is an assessment process by which an organization's
performance is measured against certain standards defined by industry
experts.

^2Hospitals accredited by the Joint Commission are deemed to be in
compliance with all of the Medicare conditions except three. These three
conditions are related to hospital utilization reviews, certain
psychiatric hospital staffing and records standards, and any standards
that CMS, after consulting with the Joint Commission, identifies as being
higher or more precise than the Joint Commission's accreditation
standards. See 42 C.F.R. S 488.5 (2005).

The Joint Commission's status as a hospital accrediting body was
established by statute in 1965, and consequently, can only be changed by
Congress.^4 Although CMS has approved other organizations' hospital
accreditation programs, the Joint Commission is the only organization
whose approval is expressly provided for in statute. As such, the Joint
Commission is not required to periodically reapply to CMS for this
approval.

In 1986, the Joint Commission created Joint Commission Resources, Inc.
(JCR),^5 a nonprofit, controlled affiliate.^6 JCR's stated purpose is to
assist health care organizations in improving the quality of their care
through educational and research activities. Of particular interest, JCR
provides consultative technical assistance services--referred to as
"consulting services" throughout the remainder of this report--to health
care facilities, including individual hospitals and members of state
hospital associations, to help facilities comply with the Joint
Commission's accreditation standards. While JCR is a separate entity
legally from the Joint Commission, the organizations are related corporate
entities. As a result, the two organizations have acknowledged the need to
ensure that JCR's consultative services do not affect, and are perceived
not to affect, the independence of the Joint Commission's accreditation
process, either through the improper sharing of information about
facilities using JCR's services with Joint Commission accreditation staff
or through any implication that using JCR's services will provide an undue
advantage in the Joint Commission accreditation process. Both of the
organizations attempted to address these concerns through the development
of a "firewall"--policies designed to establish a barrier between the
organizations to prevent conflicts of interest and sharing of
facility-specific information.^7 For example, the firewall is intended to
prevent JCR from sharing the names of its hospital clients with the Joint
Commission.

^3Hospitals may also demonstrate compliance through accreditation from the
American Osteopathic Association or by applying to CMS for a review to
determine whether they satisfy the conditions of participation. A review
by CMS is typically conducted by a state agency under contract with CMS.

^4See 42 U.S.C. S 1395bb(a) (2000); see also 42 C.F.R. S 488.5 (2005).

^5JCR was known as Quality Healthcare Resources until 1998, when its name
was changed.

^6The Joint Commission and JCR have used the terms "affiliate" and
"subsidiary" interchangeably to describe JCR. For purposes of this report,
we refer to JCR as an "affiliate." In a "controlled" affiliate, the
affiliate is a separate legal entity, but the parent organization has
authority over the affiliate's activities.

You asked us to provide information on the relationship between the Joint
Commission and JCR as it relates to the hospital accreditation process. In
this report, we describe (1) how the Joint Commission and JCR are related
to one another through their governance structure and operations, and (2)
the significant steps both organizations have taken to prevent the
improper sharing of facility-specific information, obtained through their
hospital accreditation and consulting activities, since the creation of
JCR.

To describe the relationship between the Joint Commission and JCR,
specifically as it pertains to their governance structure and operations,
we interviewed senior staff at both organizations, including the President
of the Joint Commission and the individual who serves as both President
and Chief Executive Officer (CEO) of JCR. We also interviewed board
members from the Joint Commission and JCR and reviewed documents from both
organizations, including documents related to the organizations' financial
relationship.^8 Further, we interviewed staff at CMS to obtain information
on their oversight of the Joint Commission and other accreditation
organizations, and reviewed reports CMS provides to Congress related to
its validation surveys of Joint Commission accredited hospitals. To
further our understanding of issues related to organizational governance,
conflicts of interest, and independence standards, we interviewed
officials from both the private and public sector^9 and reviewed pertinent
documents.

To provide information on the significant steps taken by the Joint
Commission and JCR since JCR's creation to prevent the improper sharing of
facility-specific information, we reviewed relevant policies developed by
the two organizations. We reviewed versions of the firewall and related
policies issued between 1987 and 2006 and interviewed senior staff with
responsibility for this area, including the person who serves as the
Corporate Compliance and Privacy Officer (Compliance Officer) for both
organizations. We also conducted interviews with staff members at each
organization to obtain information on their understanding of the firewall
and related policies and guidelines, their training on these policies and
guidelines, and their awareness of possible firewall violations. In
addition, to learn about JCR's clients' understanding of the relationship
between JCR and the Joint Commission, we conducted interviews with state
hospital associations that, as of May 2006, used JCR's consulting
services, and hospitals that used these services during calendar year
2005. We also conducted interviews with state hospital associations that
had not used JCR's consulting services as of May 2006 to learn more about
their reasons for not doing so. The information provided from our
interviews with staff, state hospital associations, and hospitals reflects
the comments of those we interviewed and cannot be generalized to all
Joint Commission and JCR staff or all state hospital associations and
hospitals using JCR consulting services. (For additional information on
our methodology, see app. I.)

^7For the purposes of this report, when we refer to facility-specific
information, we are referring to information on hospital facilities only.
The Joint Commission's status in statute as an approved accreditation
organization for Medicare purposes extends only to hospitals. Therefore we
excluded other types of facilities accredited by the Joint Commission from
our work.

^8We excluded Joint Commission International, a division of JCR that
provides consulting and accreditation services to foreign health care
facilities, from the scope of our work because these facilities are not
eligible to participate in the Medicare program.

^9Among others, we spoke with officials at the United States Department of
Education, the Council on Higher Education Accreditation, Independent
Sector, and the National Center for Nonprofit Enterprise.

We conducted our work from October 2005 to December 2006, in accordance
with generally accepted government auditing standards.

Results in Brief

Although the Joint Commission and JCR provide different types of services
to health care organizations, they remain closely related to one another
in their efforts to achieve their similarly stated missions. Their close
relationship is demonstrated through both their governance structure and
operations. The Joint Commission has substantial control over JCR through
powers provided in JCR's bylaws as well as through Joint Commission
commissioners that also serve on JCR's board. In addition, the two
organizations provide various operational services to one another.

The Joint Commission and JCR have taken steps designed to prevent the
improper sharing of facility-specific information obtained from their
accreditation or consulting activities. In 1987, shortly after the
creation of JCR, the organizations developed initial firewall guidance.
Beginning in 2003, both organizations began taking additional steps
designed to enhance the firewall guidance. They have also implemented
additional policies and guidance designed to further strengthen the
firewall between the two organizations. Both the Joint Commission and JCR
report providing training to staff on these policies, and have developed
mechanisms to allow staff to report possible firewall violations. They
both have also taken steps, primarily since 2003, to strengthen the
oversight of the implementation of, and compliance with, the firewall and
related policies.

Ensuring the independence of the Joint Commission's accreditation process
is vitally important. To ensure that the firewall and other mechanisms
instituted are sufficient to prevent the improper sharing of
facility-specific information, it would be prudent for the Joint
Commission and JCR to continue to assess these mechanisms and monitor
their implementation.

The Joint Commission agreed with our concluding observations and
emphasized that its highest priority is to preserve the integrity of its
accreditation process. CMS did not comment on our findings or concluding
observations.

Background

The Joint Commission, a nonprofit organization founded in 1951, was
created to provide voluntary health care accreditation for hospitals. All
but one of the Joint Commission's founding members continued to serve on
its Board of Commissioners as of October 2006, including the American
Hospital Association and the American College of Surgeons.^10 The
standards established by the Joint Commission address a facility's level
of performance in areas such as patient rights, patient treatment, and
infection control. To determine whether a facility is in compliance with
those standards, the Joint Commission conducts on-site evaluations of
facilities, called accreditation surveys. The Joint Commission recognizes
a facility's compliance with its standards by issuing a certificate of
accreditation, which is valid for a 3-year period. In 2004, the Joint
Commission implemented a new accreditation process in an effort to
encourage hospitals to focus on continuous quality improvement, rather
than survey preparation. Previously, facilities were told in advance when
Joint Commission surveyors would conduct their evaluations. As a part of
the new process, the Joint Commission began conducting unannounced
surveys.^11 The Joint Commission employs over 900 staff members, including
approximately 200 hospital surveyors from a range of disciplines--such as
physicians, nurses, and hospital administrators--who conduct the
accreditation surveys. In 2005, the Joint Commission accredited
approximately 4,300 hospitals.

^10The other founding members of the Joint Commission were the American
College of Physicians, the American Medical Association, and the Canadian
Medical Association. In 1959, the Canadian Medical Association withdrew to
form its own accreditation body in Canada. The American Dental Association
joined the Joint Commission as a member in 1979.

The Joint Commission established JCR to provide consultative technical
assistance to health care organizations seeking Joint Commission
accreditation. (See fig. 1.) JCR is governed by a Board of Directors and
employs approximately 180 staff members, including consultants located
throughout the country. In 2000, the Joint Commission expanded JCR's role
beyond consulting to include all educational services, such as seminars
and audio conferences, which the Joint Commission previously provided.
(See app. II for a timeline of key developments in the Joint Commission
and JCR relationship.) JCR also became the official publisher of the Joint
Commission's accreditation manuals and support materials. JCR offers
consulting services either independently to health care facilities or
through a subscription-based service called the Continuous Service
Readiness (CSR) program, which is typically offered in partnership with
state hospital associations.^12 The CSR program provides ongoing technical
assistance and education to subscribers through a variety of means,
including meetings, e-mails, telephone calls, and conferences.

^11Organizations volunteered for unannounced surveys in 2004 and 2005, and
all surveys (with certain exceptions, such as prison hospitals) became
unannounced effective January 1, 2006.

^12Previously housed at the Joint Commission, the CSR program was also
transferred to JCR in 2000. JCR also expanded its services to include
international accreditation activities through Joint Commission
International, which is a division of JCR that provides consulting and
accreditation services to foreign health care facilities. The activities
of Joint Commission International are beyond the scope of this work.

Figure 1: Relationship between the Joint Commission, JCR, and Hospitals

In 2004, we reported that CMS's oversight of the Joint Commission hospital
accreditation process is limited. Although it conducts on-site validation
surveys of a sample of Joint Commission-accredited hospitals, the agency
cannot restrict or remove the Joint Commission's accreditation authority
if it detects problems.^13 CMS reported that the agency and the Joint
Commission engage in ongoing dialogue to identify potential hospital
accreditation performance issues. In addition, CMS provides an annual
report of its findings to Congress. Unlike the Joint Commission, JCR is
not subject to any oversight by CMS.

^13In our 2004 report, we suggested that Congress consider giving CMS the
authority over the Joint Commission's hospital accreditation program that
it has over other accreditation programs. We also recommended that CMS
modify its methods for assessing the Joint Commission's performance. For
more information, see GAO, Medicare: CMS Needs Additional Authority to
Adequately Oversee Patient Safety in Hospitals, [24]GAO-04-850
(Washington, D.C.: July 20, 2004).

When developing policies regarding its relationship with JCR, the Joint
Commission has been affected by the increased focus in both the public and
private sectors on governance issues. The Sarbanes-Oxley Act of 2002,^14
passed in response to corporate and accounting scandals, required publicly
traded companies to follow new governance standards, including those
designed to ensure auditors' independence from their clients. Even though
most provisions of the Sarbanes-Oxley Act are not applicable to nonprofit
organizations, activities that have occurred in the wake of the act have
affected nonprofits. For example, several state legislatures are
considering legislation that applies standards similar to the
Sarbanes-Oxley requirements to nonprofit organizations. In addition, some
nonprofit organizations, such as the Joint Commission, have voluntarily
adopted policies and altered governance practices based upon the act.

Organizations in the public and private sectors have also begun to
institute compliance programs^15 and those that provide accreditation or
certification services have developed standards to ensure the independence
of these services. Compliance programs for health care organizations--such
as hospitals, home health agencies, and medical supply companies--have
used provisions of the federal Sentencing Guidelines,^16 developed in
1991, as a program model. These guidelines lay out two common principles
of adequate compliance programs--to prevent and detect criminal conduct,
and to promote an organizational culture of ethics and compliance with the
law. In 1998, the HHS Office of Inspector General developed a model
compliance program for hospitals.^17 Regarding independence standards,
organizations that provide accreditation or certification, or recognize
accreditation bodies, have begun to impose certain criteria to demonstrate
independence. For example, the Department of Education developed criteria
for educational accrediting bodies that are designed to ensure that those
organizations granting accreditation are not improperly influenced by
related trade or membership associations.

^14Pub. L. No. 107-204, 116 Stat. 745.

^15Compliance programs are designed to encourage the development and use
of internal controls to monitor adherence to applicable statutes,
regulations, and program requirements.

^16Federal Sentencing Guidelines have been developed both for individuals
and for organizations. The Sentencing Guidelines for organizations provide
for reduced sentences for federal crimes if the organization demonstrates
adherence to certain elements that demonstrate an effective compliance
program.

The Joint Commission Has a Close Relationship with JCR through Their Governance
Structure and Operations

The mission statements of the Joint Commission and JCR both share the same
phrase of seeking "to continuously improve the safety and quality of
care." While each organization differs in the activities it engages in to
achieve that mission, they maintain a close relationship through both
their governance structure and operations. The Joint Commission has
substantial control over the governance of JCR through the powers retained
by the Joint Commission in JCR's bylaws as well as through the Joint
Commission's representation on JCR's Board of Directors. In addition, JCR
manages all Joint Commission publications and educational activities,
while the Joint Commission provides various support services and some
management oversight to JCR.

The Joint Commission Has Substantial Control over JCR through Its Governance
Authority

The Joint Commission has substantial control over the governance of its
affiliate, JCR. In 2003, the Joint Commission undertook a major review of
the structural, operational, and legal aspects of its relationship with
JCR in an effort to address any real or perceived conflict-of-interest
issues. This review led to the restructuring of JCR through revisions to
JCR's bylaws, which govern the internal affairs of the organization, and
resulted in changes to the composition of JCR's board and the appointment
of board officers. In particular, after the restructuring the Joint
Commission no longer retained a majority on the JCR board through board
members who served on the boards of both organizations. However, through
changes to JCR's bylaws, the Joint Commission maintained control over JCR
by reserving powers that would otherwise have been exercised by JCR.

^17The HHS Office of Inspector General Compliance Program Guidance for
Hospitals is intended to help health care facilities promote adherence
with laws and regulations, as well as with ethical and business policies.
This guidance recommends the inclusion of several elements in a compliance
program, such as the development of written policies and procedures, a
compliance officer and compliance council, a hotline for staff to report
violations, and ongoing staff training. While these guidelines were not
developed for accreditation bodies, the Joint Commission used this
framework when developing its compliance program.

The 2003 restructuring of JCR allowed the Joint Commission to effectively
maintain control over JCR by implementing a change in the "corporate
membership" of JCR. Similar to for-profit entities that may have
stockholders, nonprofit corporations may have corporate members who, in
general, are responsible for major organizational decisions, such as
electing the corporation's board.^18 If a nonprofit corporation does not
have any members, the corporation's board of directors holds
decision-making authority.^19 With the restructuring of JCR, the Joint
Commission became the "sole member" of JCR.

The sole member has the ability to exercise substantial control over the
affiliate through its "reserved powers"--powers that would otherwise be
exercised by the affiliate board, if the sole member did not reserve them
for itself. When the Joint Commission became the sole member of JCR, its
reserved powers included those previously held and a number of additional
powers, as shown in table 1.^20 A practicing attorney with expertise in
transactions involving nonprofit health care organizations and who has
served as external counsel for the Joint Commission considers this
structure necessary to enable the parent to protect itself from the
possibility of the affiliate acting against the parent's interests.
However, an article published in a law journal cautions that this
structure allows the parent to make decisions solely in its own interest
without considering the impact on the affiliate.^21

18See, e.g., 12A Fletcher Cyclopedia Corporations S 5687 (Perm. Ed.).

^19The laws related to the organization of nonprofit corporations may vary
by state. Both the Joint Commission and JCR were organized under the laws
of the State of Illinois and are subject to its laws. See 805 ILCS
105/107.03 (f)(2004).

^20The bylaws of JCR indicate that the sole member shall have the reserve
powers listed in the bylaws in lieu of reserve powers that would be
otherwise provided by applicable statute.

^21See Dana Brakman Reiser, "Decision-Makers Without Duties: Defining the
Duties of Parent Corporations Acting as Sole Corporate Members in
Nonprofit Health Care Systems," Rutgers L. Rev. 53 (2001): 991.

Table 1: Joint Commission's Powers Over JCR Enumerated in JCR Bylaws

Joint Commission's powers in                                               
JCR bylaws before 2003         Joint Commission's powers added to JCR      
restructuring                  bylaws as a result of 2003 restructuring    
      o Appoint JCR directors        o Appoint JCR board vice chairman and    
      o Remove JCR directors,        President/CEO                            
      with or without cause, by a    o Remove JCR board chairman, vice        
      two-thirds vote                chairman, and President/CEO, with or     
      o Appoint the JCR board        without cause                            
      chairman                       o Amend JCR articles of incorporation    
      o Approve amendments to JCR    and bylaws                               
      articles of incorporation      o Approve all creations of subsidiaries  
      and bylaws                     or controlled affiliates, mergers,       
      o Approve JCR's mission        consolidations, certain affiliations,    
      statement and strategic        and all joint ventures of JCR involving  
      plans                          capital investments in excess of         
      o Approve all JCR debt in      $250,000                                 
      excess of $250,000             o Approve sale or encumbrance of all or  
      o Approve JCR's budget         substantially all assets of JCR          
      o Approve JCR's dissolution    o Approve all liquidations from JCR      

Source: GAO summary of the Joint Commission and JCR Bylaws.

As part of the 2003 restructuring, the Joint Commission took steps to
reduce the proportion of persons serving on the JCR board who also served
as board members on the Joint Commission board. Prior to the 2003
restructuring, JCR's board had 13 directors with a majority--7
directors--from the Joint Commission, including the President of the Joint
Commission as an ex officio director with voting rights.^22 The other 6
directors were from outside the Joint Commission, and included the CEO of
JCR as an ex officio director with voting rights. After the 2003
restructuring, directors from the Joint Commission no longer comprised the
majority of members on JCR's board. There are 17 directors on JCR's board,
consisting of 7 Joint Commission directors--including the President of the
Joint Commission as an ex officio director with voting rights--and 9
external directors who cannot be, either concurrently or within the prior
3 years, Joint Commission commissioners or employees. The President/CEO of
JCR also serves on the JCR board, serving as a voting ex officio
director.^23 (See fig. 2.)

^22"Ex officio" means that "by right of their office" these officers are
able to serve on the board.

^23The previously separate officer positions of President and CEO of JCR
were combined into the single position of President/CEO following the
restructuring of JCR in 2003.

Figure 2: Board Structure of JCR in Relation to the Joint Commission

Directors we interviewed who serve on both the Joint Commission and JCR
boards said that serving on the two boards has not been problematic
because both organizations share the same mission. However, they also
recognized the potential for overlapping board members to be faced with
competing organizational interests if differences between the Joint
Commission and JCR arise. These directors noted that, if competing
organizational interests were to occur, the Joint Commission's reserve
powers would dictate the final decision.

The restructuring also affected the appointment of JCR officers. Prior to
the restructuring, the President and the Chief Financial Officer (CFO) of
the Joint Commission also served in those same positions for JCR. The CEO
of JCR was appointed by, and reported to, the President of the Joint
Commission, and could only appoint other JCR officers after consulting
with the Joint Commission's President. Changes to JCR's bylaws through the
2003 restructuring removed the requirement that the Joint Commission's
President and CFO serve in those positions for JCR. Rather, the Joint
Commission appoints and has the power to remove the President/CEO of JCR.
The President/CEO of JCR also now has the authority to appoint officers,
such as the CFO, without consulting with the Joint Commission's President.
In addition, the Joint Commission, rather than JCR's board, now appoints
the vice chairman of JCR's board.

One other noteworthy change as a result of the 2003 restructuring dealt
with the role of two Joint Commission board committees in relation to JCR
and the creation of a new JCR board committee. The Joint Commission
created a Governance Committee, which has a number of responsibilities
involving JCR, such as nominating JCR board directors and certain
officers. This committee also has oversight responsibility for JCR
governance issues and JCR conflict-of-interest policies, and reviews the
bylaws and other documents of JCR. Further, the Joint Commission expanded
the responsibilities of an existing committee--the Finance and Audit
Committee--to include reviews of annual financial audits and other matters
related to oversight of the firewall between the Joint Commission and JCR.
Within the JCR board, a Firewall Oversight Committee was created as a
result of the restructuring. This committee is charged with monitoring
compliance with the firewall and related policies.

The Joint Commission and JCR Provide Operational Assistance to One Another

The structure of the Joint Commission and JCR allows the two organizations
to provide certain operational assistance to one another. The Joint
Commission provides support and management services to JCR. Through a
January 2001 service agreement, the Joint Commission provides JCR with
financial, legal, marketing and public relations, human resources,
accounting (bookkeeping and payroll), information technology, and other
support services such as office management and mail.^24 JCR pays for these
services through a management fee.^25 The methodology used to determine
the appropriate allocation of expenses varies by department. For some
departments, the allocation is based upon JCR's percentage of total
revenues, whereas in other departments, the estimate is made using the
amount of time spent doing work on behalf of JCR. Departments also vary in
whether they include overhead costs in the allocation.

^24In general, an affiliate may contract with a parent organization for
support services as long as the transactions are considered reasonable for
both organizations at the time they enter into the agreement. To maintain
the affiliate's status as a separate legal entity, certain formalities
should be followed, such as the affiliate maintaining separate bank
accounts and records, and being responsible for its own corporate filing
requirements. JCR maintains its own separate bank account and records and
handles its own corporate filing requirements.

^25The management fee paid by JCR is considered a related party
transaction--a transaction between related parties such as controlled
entities, principal stockholders, or management. It has no net effect on,
and is eliminated from, the Joint Commission's consolidated financial
statements.

Along with support services, the Joint Commission also provides management
services to JCR through its General Counsel and Compliance Officer.^26 For
example, all JCR materials, including the publications it produces on
behalf of the Joint Commission and materials produced for its own
purposes, must be reviewed and approved by the Joint Commission's General
Counsel prior to issuance. The Compliance Officer, a position created by
the Joint Commission in 2005, oversees compliance duties for both the
Joint Commission and JCR. Among other duties, the Compliance Officer is
responsible for implementing, providing training on, and monitoring
compliance with the firewall policies.^27 The Compliance Officer reports
directly to the President of the Joint Commission and President/CEO of
JCR, the Joint Commission's Governance Committee, JCR's Firewall Oversight
Committee, and may also report to the full boards of both organizations.
The Compliance Officer is aided by a Compliance Council, which was created
in late 2005 and consists of members who represent multiple departments
from both the Joint Commission and JCR. The Council works with the
Compliance Officer to develop an annual work plan that focuses on areas of
greatest risk, recommended training, auditing, and measures of the
compliance program's effectiveness.

JCR also provides assistance to the Joint Commission, including
publication and educational services. The Joint Commission transferred its
publications and educational product lines to JCR in 2000 in order to
combine support services within JCR and to allow for organizational
separation between the Joint Commission's evaluation and accreditation
function and the consultation and educational services provided by JCR.
JCR currently offers a variety of educational programs regarding Joint
Commission accreditation, including seminars, e-learning opportunities,
and audio, satellite, and video conferences. These programs cover a range
of topics and include information on the Joint Commission standards and
changes to those standards. JCR also publishes its own books on health
care issues and periodicals on patient safety and quality improvement.

^26JCR's board decided to retain external counsel in 2005 to represent its
interests.

^27In addition to issues related to the firewall policies, the Compliance
Officer is responsible for oversight of other compliance issues, such as
unethical conduct. Such conduct may include employee harassment, divulging
protected health information, and abuse of organizational resources.

The operational services the Joint Commission and JCR provide to one
another result in a flow of funds between the two organizations. In
exchange for the license to publish Joint Commission materials, JCR pays
the Joint Commission a royalty fee that ranges from 4.75 to 9.5 percent on
gross sales. JCR also annually transmits assets to the Joint Commission in
excess of the amount needed to operate JCR's business. The amount of the
transfer is based on a formula that considers JCR's cash, investments, and
average operating expense.^28

The Joint Commission and JCR Have Taken Steps to Prevent the Improper Exchange
of Facility-Specific Information

The Joint Commission and JCR have taken steps, primarily since 2003,
designed to strengthen the firewall guidance initially developed in 1987,
shortly after the creation of JCR. They have also further developed
guidance addressing the relationship between the two organizations. In
addition, they have made an effort to educate staff at both organizations
on these matters and have enhanced monitoring of compliance with the
firewall and related policies.

The Joint Commission and JCR Have Policies Designed to Prevent the Sharing of
Facility-specific Information

The Joint Commission and JCR firewall polices were initially developed as
guidelines in 1987. Relatively few changes were made to these guidelines
until 2003, when they were extensively modified. In addition, since 2003,
the Joint Commission and JCR have developed other policies and guidance
designed to further strengthen the firewall between the two organizations.

^28Between January and September of 2005, royalty fees paid by JCR to the
Joint Commission totaled $713,825 and the management fee JCR paid for
support services totaled $2,648,646. In 2004, JCR paid $3,249,862 of
excess net assets to the Joint Commission. Net assets of a nonprofit
affiliate may be transferred to its nonprofit parent organization. Like
the management fee JCR pays the Joint Commission, the royalty fees are
considered a related party transaction and are eliminated from the Joint
Commission's consolidated financial statements.

  Firewall Policies

Since 1987, shortly after the creation of JCR, both the Joint Commission
and JCR have operated under a set of firewall guidelines designed to
prevent conflicts of interest between the Joint Commission's accreditation
activities and JCR's consultative services. Between 1987 and 2003, the
firewall guidelines were modified twice--once in 1992 and again in
1999--to reflect JCR's name change and other issues related to JCR
services. In 2003, the Joint Commission and JCR made extensive
modifications to the guidelines, which were released to staff in the form
of policies in 2004.^29 (See app. III for a list of key policies,
guidelines, and protocols.) These modifications stemmed from the Joint
Commission's review of its relationship with JCR following the passage of
the Sarbanes-Oxley Act in 2002. According to senior staff from the Joint
Commission and JCR, the revised firewall policies are not based on any
specific model. However, they are a component of the two organizations'
joint compliance program,^30 which was developed in part using the
hospital compliance program guidelines issued by HHS's Office of Inspector
General.

The stated purpose of both organizations' firewall policies is "to
eliminate any real or perceived conflict of interest" between the Joint
Commission's accreditation activities and JCR's consulting services.
Certain requirements in the firewall policies of the two organizations are
very similar, such as a prohibition on accessing confidential
facility-specific information from, or sharing any facility-specific
information with, staff from the other organization. (See app. IV for more
information on the contents of each organization's firewall policies.)
Joint Commission and JCR staff are also prohibited from suggesting that
the use of JCR consulting services is necessary for, or will influence,
Joint Commission accreditation decisions. In addition, staff and board
members of both organizations are required to sign an annual statement
signifying that they have read, and agree to comply with, the firewall
policies. Of the 25 staff members we spoke with from the Joint Commission
and JCR, all but 1 reported signing the required annual compliance
statement and all but 4--2 from the Joint Commission and 2 from JCR--were
aware that the firewall policy required them to sign this statement on an
annual basis.

^29The policies were effective January 1, 2004, and were modified in 2005
and 2006.

^30The Joint Commission and JCR compliance program is overseen by the
organizations' Compliance Officer, and focuses on preventing violations of
law and unethical conduct and investigating and responding to allegations
of violations. The Compliance Program addresses a variety of issues,
including confidentiality issues, fraud, and conflicts of interest, as
well as issues related to the organizations' firewall.

While both organizations' firewall policies share similar requirements,
each has certain provisions that focus specifically on the services
offered by its own organization. For example, the Joint Commission's
firewall policy stipulates that Joint Commission staff will not seek or
solicit information on whether or not a facility has used JCR consulting
services. The Joint Commission policy also provides guidance on how Joint
Commission staff should respond to requests for consulting services. For
example, if a facility asks Joint Commission surveyors for advice on these
services, they are required to direct the facility to an appropriate
senior staff member in the Joint Commission's central office. That senior
staff member can provide limited information on JCR, including its
services and the reason for its creation. JCR's firewall policy limits,
among other things, the language JCR can use to promote its services. It
also requires that JCR's consulting services staff be housed in separate
facilities from Joint Commission staff and use separate telephone and
computer systems.^31

Most of the state hospital associations and hospitals we interviewed that
use JCR's consulting services were familiar with the firewall between the
Joint Commission and JCR. Of the five state hospital associations we
interviewed that participate in JCR's CSR program, four said they were
provided with information on the relationship between the Joint Commission
and JCR or had been told by JCR staff about the firewall between the two
organizations. Further, all five associations stated that JCR staff have
never indicated that participation in the CSR program would affect the
accreditation process, other than through the general improvements that
are expected when using consulting services. Similarly, staff we
interviewed at six hospitals that use JCR's consulting services stated
that there had been no indication from JCR consultants that the use of
these services would influence their facility's Joint Commission
accreditation process.

Additional Firewall-Related Policies and Guidance

In addition to the recent changes to the firewall policies, the Joint
Commission and JCR developed other policies and guidance beginning in 2003
that further address possible areas of risk to the firewall. JCR
formalized protocols for its consultants in the field, which provide
specific guidance related to their interaction with the Joint Commission
staff. For example, if Joint Commission staff members arrive at a facility
to conduct a survey when a JCR consultant is on site, the JCR consultant
must leave the facility immediately. In 2003, JCR also developed a
policy--referred to as the "scope limitations policy"--which is designed
to clarify what services can be provided to Joint Commission-accredited
facilities.^32 The policy specifically prohibits JCR from providing
certain consulting services to facilities after they have undergone a
Joint Commission survey, including helping facilities challenge the Joint
Commission's accreditation decisions or findings, resolving Joint
Commission deficiency findings, or preparing facilities that have been
denied Joint Commission accreditation for future surveys.^33

31While some JCR publications and education staff are co-located with
Joint Commission staff, all JCR consulting services staff are either
housed at the separate JCR offices or are based throughout the country.

In 2004, the Joint Commission developed an additional policy reiterating
the importance of the firewall for those Joint Commission
employees--information technology and planning and financial affairs
staff--who, through the service agreement between the two organizations,
need, and are able, to access JCR financial or operational information.^34
In addition to the firewall compliance statement all Joint Commission
staff are required to sign, these particular staff members are required to
sign a separate compliance statement associated with this specific policy.
Also in 2004, JCR approved a formal firewall policy related to JCR
marketing materials in an effort to ensure that JCR marketing materials
contain no implication that purchasing its products or services will
impact the Joint Commission accreditation process.^35 Because JCR markets
some products that it develops on the Joint Commission's
behalf--publications and educational services--as well as its consulting
services, the marketing policy clarifies the language and logos that can
be used on marketing materials for these different products. For example,
while marketing materials for the Joint Commission accreditation manuals
published by JCR can only carry the Joint Commission logo, JCR's marketing
materials promoting its consulting services carry only the JCR logo.

^32This policy went into effect January 1, 2004.

^33If JCR has provided consulting services to a facility within the
facility's current Joint Commission accreditation period, JCR may review
and comment on documents the facility has prepared for the Joint
Commission. However, in these cases, JCR may not charge a fee for these
services. According to 2005 meeting minutes, JCR's firewall oversight
committee may review the scope limitations policy to address recent
changes in the Joint Commission survey process.

^34This policy is referred to as the "firewall policy for planning and
financial affairs and information technology staff."

^35Guidelines related to the marketing of JCR services were developed in
2003.

In 2006, the Joint Commission and JCR published posters, which are
displayed in Joint Commission and JCR meeting rooms, to govern meetings
that involve staff from both organizations. These posters reiterate the
organizations' firewall policy requirements, in place since 1987, that
facility-specific information should not be discussed at meetings that
include staff from both organizations and such information cannot be
included in materials prepared for those joint meetings. The posters also
state that, if facility-specific information must be discussed for
business purposes by staff from one organization, the staff from the other
organization must leave the meeting. There are a number of occasions when
Joint Commission and JCR staff interact during which these guidelines may
be applicable. For example, both Joint Commission and JCR staff
participate on internal interdepartmental teams designed to review Joint
Commission programs and ensure they are valuable to health care
organizations. Because these meetings include reviews of the programs'
publication and education services--services provided by JCR--JCR staff
participate on these teams. Another area of interaction is through
educational programs offered by JCR. These programs may include training
by Joint Commission surveyors and central office staff and may take place
at the Joint Commission's headquarters.

The Joint Commission and JCR have also developed a joint code of
conduct^36 and organization-specific conflict-of-interest policies that,
while not focused exclusively on firewall issues, address aspects of the
relationship between the two organizations and the independence of the
accreditation process. In particular, the Joint Commission's
conflict-of-interest policy prohibits staff from providing
accreditation-related consulting and prohibits survey staff from surveying
facilities to which they provided consulting services during the previous
3 years.^37 Similarly, JCR's conflict-of-interest policy prohibits staff
from providing external accreditation-related consulting services and
prohibits JCR consultants from providing consulting services to any
facility they may have surveyed in the past 3 years.

^36The code of conduct provides general information on acceptable staff
behavior and the confidentiality of information, as well as information on
mechanisms for reporting violations.

^37Prior to January 2004, Joint Commission surveyors were allowed to
provide consulting services. Until that time, some surveyors also worked
as JCR consultants, while others worked as independent contractors.

The Joint Commission and JCR Have Taken Steps to Train Staff on, and Monitor,
the Firewall

The Joint Commission and JCR report providing ongoing training to ensure
that staff understand the firewall and related policies. The organizations
have also developed mechanisms, primarily since 2003, that allow staff to
report possible firewall violations. Both organizations report monitoring
compliance with these policies on an ongoing basis and, in 2005, underwent
a joint external review of their implementation.

  Staff Training on Firewall and Firewall-Related Policies

The Joint Commission and JCR reported that both board and staff members
receive training on the firewall and related policies--board members are
trained when they join the board and staff are trained during new employee
orientation. In addition, Joint Commission and JCR staff receive annual
training on the firewall and related policies and procedures and are
further reminded of these policies through periodic presentations at
departmental staff meetings.

As of June 2006, the organizations' staff training did not include a
testing component to measure how well staff understand the policies.^38
However, most staff members and senior staff we spoke with at both
organizations were aware of the firewall policies and were able to
accurately describe their purpose. All but 1 of the 25 staff members we
spoke with--13 with the Joint Commission and 12 with JCR--reported being
familiar with these policies. In addition, all but 1 of the 24 staff
members who were familiar with the firewall policies stated that the
training and information they received made them sufficiently aware of the
firewall and its appropriate implementation. None of the 25 staff members
we spoke with were aware of cases in which staff from either organization
had suggested that the use of JCR consulting services would influence
Joint Commission accreditation.

In addition to training sessions, staff members at the Joint Commission
and JCR have access to information on the compliance program through an
intranet Web site.^39 This site includes copies of the organizations'
respective firewall policies and other compliance-related materials, as
well as information on the role of the organizations' joint Compliance
Officer and Compliance Council.

^38The Joint Commission reported that a testing component was added to its
staff training program in late 2006 and that it will be expanded in 2007.

^39Facility-specific information is not available through this site.

  Mechanisms for Reporting Violations

The firewall policies for both organizations require employees to report
violations to their management, the Compliance Officer, or the Joint
Commission General Counsel. In keeping with this requirement, senior Joint
Commission and JCR management stated that they encourage employees to
contact their supervisors or these other management officers if they are
aware of possible violations or have questions on the firewall. Of the 24
staff members we interviewed at both organizations who were familiar with
the firewall policies, 20 indicated that if they became aware of a
violation, they would contact another staff member, such as their direct
supervisor, division head, or the Compliance Officer.

The Joint Commission and JCR have also developed a compliance hotline that
allows staff to anonymously report any concerns related to compliance
issues. While the firewall policies require employees to report violations
to certain staff, this hotline offers another means of reporting possible
firewall violations.^40 From its inception in March 2005 through December
2005, the hotline received three calls, none of which involved a firewall
violation.^41 All 24 of the Joint Commission and JCR staff members we
spoke with who were familiar with the firewall policies reported being
aware of the compliance hotline. Of those staff members, 6 stated that
they would contact the hotline if they became aware of a firewall
violation.

  Monitoring of Firewall and Related Policies

The Joint Commission and JCR staff report taking multiple steps to monitor
implementation of, and compliance with, the firewall and related policies.
The organizations have created the Compliance Officer position, the
Compliance Council, and the JCR Firewall Oversight Committee, all of which
have a role in monitoring compliance with the firewall and related
policies.

^40The hotline is available 24 hours per day, 7 days a week and is
operated by a contractor. When a call is received, the hotline operator
takes information on the caller's concern and, at the end of the call,
provides the caller with a report number that can be used when following
up with the hotline. Within 24 hours of receiving a call, hotline staff
are required to prepare a report on the call and submit that report to the
Compliance Officer and other specified staff. The Compliance Officer is
then charged with investigating any reported issue.

^41According to Joint Commission staff, two of these calls were from staff
confirming the hotline's existence. The third call concerned a complaint
about a specific facility. This call should have been made to another
Joint Commission hotline that allows members of the public to report
complaints about specific facilities.

According to Joint Commission and JCR staff, the firewall policies have
been monitored internally on an ongoing basis and are now subject to
external reviews. The Joint Commission conducted an internal review in
2002, which was presented to the Joint Commission and JCR boards in 2003.
The 2004 and 2005 firewall policies for both organizations called for an
annual audit of the policy by the Joint Commission's Office of Legal
Affairs, but these audits were not conducted. According to senior Joint
Commission staff, the Joint Commission determined that its legal
department could not conduct a sufficient audit and that instead, the
audits should be conducted by an external body with experience in this
area. In 2005, the Joint Commission and JCR hired a consulting firm to
conduct the first external review of the organizations' firewall policies
and related guidance. Following this review, in 2006, the requirement for
an annual audit by the Office of Legal affairs was deleted and was
replaced with a requirement for an annual review, the results of which are
presented to the appropriate committees of each board. According to Joint
Commission staff, the Joint Commission and JCR anticipate continuing to
contract for an external review of the firewall on an annual basis.

The external review conducted in 2005 did not identify any major
violations of either organization's firewall policy--violations that could
potentially breach the integrity of the accreditation process. In its
report, the consulting firm stated that the implementation of the firewall
policies "represented a reasonable effort to prevent any behavior that
could result in a breach of the integrity of the accreditation process."
However, because no guidelines or standards exist for this kind of review,
the consulting firm did not certify that the firewall and related policies
protected the integrity of the accreditation process.

The external review did identify some minor violations of the
firewall--defined as violations that resulted from the staff's failure to
completely follow operational procedures required by the policies, but
which are not considered to potentially breach the integrity of the
accreditation process. For example, at the time of the 2005 review, JCR
publications and education staff housed in the Joint Commission offices
had access to a Joint Commission shared network folder on a computer
drive. While this shared folder could not be accessed by JCR consulting
staff and Joint Commission surveyors used a separate network, the
consulting firm recommended eliminating JCR staff access. The Joint
Commission and JCR agreed with this and other recommendations made, and
report taking steps to address the issues, including eliminating JCR's
access to Joint Commission computer systems.^42

In addition to this external review, the Joint Commission reported that,
throughout the year, the Compliance Officer monitors concerns and
questions related to the firewall and related policies. Based on this
analysis, the organizations review the policies to determine what, if any,
changes need to be made to improve their clarity. In 2006, the Compliance
Officer developed a list of commonly asked questions and answers, which
was approved by the senior management of both organizations and released
to staff.

According to the Compliance Officer, when minor firewall violations are
identified, each instance is reviewed to determine if it had any impact on
the accreditation decision process and if it was due to a lack of
understanding of the policies or was an intentional violation. She will
then either provide clarification, counseling, or, if necessary, initiate
disciplinary action, including possible dismissal, through the human
resources department. As of July, 2006, no Joint Commission or JCR staff
had been terminated as a result of violating the firewall policies.
However, a senior staff member at the Joint Commission reported that staff
have been terminated for violating the Joint Commission's
conflict-of-interest policies. This staff member noted that two of the
organization's surveyors had been fired for providing consulting services,
although these services were not provided to facilities they had
previously surveyed.

Concluding Observations

Accreditation is a key mechanism to ensure the safety and quality of
hospital services provided to Medicare beneficiaries and other members of
the public. The Joint Commission's role in accrediting the majority of
hospitals participating in Medicare makes the issue of ensuring the
independence of the Joint Commission's accreditation process vitally
important. Any threat to the independence of the accreditation process
could undermine its ability to ensure the safety and quality of services
provided to Medicare beneficiaries and the general public.

^42Among the other recommendations made by the consultant were
recommendations to develop guidelines for meetings involving staff from
both organizations, require board members from both organizations to sign
the annual firewall compliance statement, and modify the firewall policy
to reflect that the Joint Commission Office of Legal Affairs was not
conducting annual audits of the organizations' firewalls.

The Joint Commission and JCR have taken steps to protect the Joint
Commission's accreditation process from influence by JCR's consulting
services by developing mechanisms to protect against the improper sharing
of facility-specific information. However, the majority of these
mechanisms, including the firewall and firewall-related policies, the
compliance hotline, and the annual external review of the firewall, have
either been developed or significantly revised within the past few
years--primarily since 2003. The next step is for management of both
organizations to assure that these mechanisms are sufficient to protect
the integrity of the accreditation process. In addition, even with
appropriate policies and procedures in place, it will take ongoing
monitoring and a concerted effort on the part of the leadership of both
organizations to ensure that these policies and procedures are
appropriately implemented by both their board and staff members.

Agency Comments

We provided a draft of this report to the Joint Commission and CMS for
comment. In its response, the Joint Commission agreed with our concluding
observations, specifically that ensuring the independence of the
accreditation process is vitally important. It indicated that the report
accurately reflects its relationship with JCR, and emphasized that its
highest priority is to preserve the integrity of the Joint Commission's
accreditation process. (The Joint Commission's written comments are
reprinted in app. V.) CMS did not comment on our findings or concluding
observations. Both the Joint Commission and CMS provided us with technical
comments, which we incorporated as appropriate.

As we agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution of this letter
until 30 days after the date of this letter. At that time, we will send
copies to the Administrator of CMS, appropriate congressional committees,
and other interested parties. In addition, the report will be available at
no charge on the GAO Web site at http://www.gao.gov .

If you or your staff have any questions about this report, please contact
me at (312) 220-7600 or [email protected]. Contact points for our Offices
of Congressional Relations and Public Affairs may be found on the last
page of this report. GAO staff who made major contributions to this report
are listed in appendix VI.

Leslie G. Aronovitz
Director, Health Care

Appendix I: Scope and Methodology

We examined the relationship between the Joint Commission on Accreditation
of Healthcare Organizations (Joint Commission) and Joint Commission
Resources, Inc. (JCR) as it relates to the independence of the Joint
Commissions' hospital accreditation process from JCR's hospital consulting
services. To provide information on the governance structure and
operations of the two organizations, we reviewed multiple documents,
including organizational charts reflecting the organizations' structure as
of 2006, a service agreement signed in 2001 and still in effect as of
2006, Internal Revenue Service tax documents from calendar years 2001
through 2004, and agendas and minutes from board meetings of both
organizations from 2003 through September 2006.^1 We also interviewed the
President of the Joint Commission and the President/Chief Executive
Officer of JCR, as well as officers from the Joint Commission Board of
Commissioners and the JCR Board of Directors. In addition, we interviewed
senior staff at both organizations, including the organizations' General
Counsel, each organization's Chief Financial Officer, and the Joint
Commission's Vice President for Human Resources.

To describe the policies the Joint Commission and JCR have developed to
prevent the improper sharing of facility-specific information, we reviewed
Joint Commission and JCR documents, including current and past policies
and guidance related, either directly or indirectly, to the firewall. We
also examined training materials and reports from the compliance hotline
contractor. We conducted interviews with senior staff from the Joint
Commission and JCR. These senior staff included the shared Corporate
Compliance and Privacy Officer, the Joint Commission's Vice President of
Accreditation Services, and the Executive Directors of JCR's consulting
services.

In addition to interviews with senior staff, we selected a sample of 15
staff members at each organization to interview. These semistructured
interviews were designed to collect information on Joint Commission and
JCR staff members' understanding of the firewall and related guidance,
their training on this guidance, and their awareness of possible firewall
violations. Our selection of staff members concentrated on those who were
JCR consultants and Joint Commission staff conducting surveys or working
in the areas of information technology, planning and financial affairs,
and marketing. We considered these particular staff members more likely to
be in a position to breach the firewall than other employees. We selected
staff using random lists of JCR consultants, Joint Commission hospital
surveyors, and employees from the information technology, planning and
financial affairs, and marketing departments, as well as a random list of
employees from all other areas at each organization. Selected staff were
contacted by phone and e-mail. If, after three attempted phone calls and
one e-mail, staff did not respond to our request for an interview we moved
to the next staff member identified in our random selection.^2 We were
able to conduct a total of 25 interviews with Joint Commission and JCR
staff. We were unable to arrange interviews with 2 Joint Commission
surveyors and 3 JCR consultants. We excluded any Joint Commission survey
staff who were not hospital surveyors, JCR staff who provided only
international services, senior staff at both organizations who we had
already interviewed, and Joint Commission staff acting as liaisons to our
work. The information gathered from these interviews reflects the
experience of these staff members and cannot be generalized to all Joint
Commission or JCR staff. While the interviews provide information on staff
awareness of the firewall policies and related guidance, as well as their
awareness of possible firewall violations, they are not sufficient to
determine if there have or have not been any firewall violations.

^1JCR's Firewall Oversight Committee was not formed until 2004; therefore,
we reviewed the agendas and meeting minutes from 2004 through September
2006.

We also conducted interviews with officials from a random sample of 5 of
the 14 state hospital associations that participated in JCR's Continuous
Service Readiness (CSR) program as of May 2006, and with officials from 5
state hospital associations that do not participate in the CSR program.
These interviews were designed to obtain information on the associations'
understanding of the relationship between the Joint Commission and JCR and
how they perceived that their participation in the CSR program might
impact their members' Joint Commission accreditation. To select the sample
for these interviews, we sorted the associations by census regions. We
then selected a random sample of associations that participate in the CSR
program and a random sample of those that do not from within each census
region. We conducted semistructured interviews with each of the selected
associations. One state hospital association did not respond to our
request for an interview. In this case, we replaced that association with
the next association in the same census region identified in our random
selection.

^2E-mail addresses were not available for certain staff members. In these
cases, staff were contacted by phone four times.

We also conducted interviews with officials from 6 hospitals that use
JCR's consulting services to learn more about their understanding of the
relationship between JCR and the Joint Commission. To conduct these
interviews, we determined the number of hospitals that had contracted with
JCR for these services in calendar year 2005. JCR compiled a spreadsheet
that contained e-mail addresses for JCR's 2005 domestic hospital clients.
We identified a random sample of JCR's hospital clients and JCR sent these
hospitals an e-mail asking them to contact us if they were willing to be
interviewed. We selected our sample of approximately 10 percent of that
population--80 facilities--using a randomly generated number list. This
selection was done at the JCR offices and the e-mails were sent to
hospital facilities under our supervision. Facilities were given 2 weeks
to contact us to schedule interviews if they were interested. The
information gathered from these interviews with JCR hospital clients and
the interviews with state hospital associations reflects the experience of
these particular facilities and state hospital associations and cannot be
generalized to all JCR consulting clients.

As part of our work, we also interviewed staff at the Department of Health
and Human Services' Centers for Medicare & Medicaid Services to obtain
information on their oversight of the Joint Commission and other
accreditation organizations. In addition, we interviewed officials from
multiple organizations and reviewed documents to obtain background
information on possible criteria or best practices related to the
governance of nonprofit organizations, conflicts of interest, compliance
programs, and independence standards. Those we interviewed included
officials at Independent Sector--a coalition of charities, foundations,
and corporate giving programs which focuses on strengthening these
particular types of organizations--and the Hauser Center for Nonprofit
Organizations--a research center at Harvard University focusing on the
nonprofit sector. We also interviewed officials from federal agencies and
organizations to obtain information on how they separate accreditation or
certification programs from consulting services. Those we interviewed
included representatives from the Department of Education, the Council on
Higher Education Accreditation, and the National Organization for
Competency Assurance.^3

3The Council on Higher Education Accreditation is an association of
colleges and universities which certifies institutional accrediting
organizations. The National Organization for Competency Assurance includes
the National Commission for Certifying Agencies, which accredits
certification programs for a variety of professions.

Because the Joint Commission's status related to Medicare applies only to
hospitals, our review was limited to information related to its
accreditation of hospitals and services provided by JCR to hospitals. We
did not conduct a review of the Joint Commission's accreditation decision
process. We also did not review information on other activities conducted
by the Joint Commission or JCR that were not related to the relationship
between the Joint Commission's hospital accreditation process and JCR's
hospital consulting services. Further, we excluded Joint Commission
International, a division of JCR that provides consulting and
accreditation services to foreign health care facilities, from the scope
of our work because these facilities are not eligible to participate in
the Medicare program.

We conducted our work from October 2005 to December 2006 in accordance
with generally accepted government auditing standards.

Appendix II: Timeline of Key Developments in the Organizations' Relationship

Appendix III: Policies, Protocols, and Guidelines Related to the Firewall,
as of 2006 

Joint Commission Policies                                                  
Firewall specific                    Non-firewall specific                 
      o Firewall policy                    o Conflict-of-interest policy      
                                                                              
      Designed to eliminate any real or    Prohibits involvement in           
      perceived conflict of interest       activities that might constitute   
      between the Joint Commission         or be perceived to constitute a    
      accreditation activities and         conflict of interest with the      
      JCR's consulting services.           overall mission of the Joint       
      Provides specific direction to       Commission. Requires staff to      
      Joint Commission staff on their      abide by the Joint Commission's    
      interaction with JCR staff and       firewall policy and prohibits the  
      services. This policy applies to     disclosure of confidential or      
      all Joint Commission staff.          proprietary information. Prohibits 
                                           Joint Commission staff from        
      o Firewall policy for planning       providing accreditation-related    
      and financial affairs and            consulting services. Prohibits     
      information technology staff         Joint Commission staff from        
                                           surveying facilities to which they 
      Reinforces the Joint Commission      provided consulting or related     
      Firewall Policies and applies        services during the previous 3     
      specifically to Planning and         years.                             
      Financial Affairs and Information                                       
      Technology Staff who provide                                            
      support services to JCR.                                                
JCR Policies and Protocols                                                 
Firewall specific                    Non-firewall specific                 
      o Firewall policy                    o Conflict-of-interest policy      
                                                                              
      Designed to eliminate any real or    Prohibits involvement in           
      perceived conflict of interest       activities that might constitute   
      between the Joint Commission         or be perceived to constitute a    
      accreditation activities and         conflict of interest with the      
      JCR's consulting services.           mission of JCR and the Joint       
      Provides specific direction to       Commission. Requires staff to      
      JCR staff on their interaction       abide by JCR's firewall policy and 
      with Joint Commission staff and      prohibits the disclosure of        
      services. This policy applies to     confidential or proprietary        
      all JCR staff.                       information. Prohibits JCR staff,  
                                           in most cases, from providing      
      o JCR marketing firewall policy      outside consulting services.       
                                           Prohibits JCR consultants from     
      Provides requirements for            providing consulting services to   
      marketing strategies to protect      facilities they have surveyed in   
      the integrity of the Joint           the past 3 years.                  
      Commission accreditation process                                        
      and ensure that materials contain                                       
      no implication that purchasing                                          
      products or services from JCR                                           
      will impact accreditation                                               
      decisions.                                                              
                                                                              
      o Protocols for JCR field staff                                         
                                                                              
      Provides specific direction to                                          
      JCR consultants in the field,                                           
      including their interaction with                                        
      the Joint Commission staff.                                             
                                                                              
      o JCR scope limitations policy                                          
                                                                              
      Delineates certain consulting                                           
      services that cannot be provided                                        
      to Joint Commission-accredited                                          
      organizations, including                                                
      assistance in preparing                                                 
      challenges to accreditation                                             
      decisions, resolving Joint                                              
      Commission deficiency findings,                                         
      preparing root-cause analysis for                                       
      sentinel events, and preparing                                          
      organizations that have been                                            
      denied Joint Commission                                                 
      accreditation for future surveys.                                       
Combined Joint Commission and JCR                                          
Policies and Guidelines                                                    
Firewall specific                    Non-firewall specific                 
      o Combined meeting guidelines        o Code of conduct                  
      poster                                                                  
                                           Provides guidance on standards for 
      Guides conduct in meetings that      staff conduct and the              
      include both Joint Commission and    confidentiality of information,    
      JCR staff, reiterating that          including mechanisms in place to   
      organization-specific or             help staff report violations of    
      nonpublic accreditation or survey    the code of conduct.               
      process information should not be                                       
      discussed and, if business needs                                        
      dictate that                                                            
      organization-specific information                                       
      be shared, stating that                                                 
      appropriate staff must excuse                                           
      themselves.                                                             

Source: GAO analysis of Joint Commission on Accreditation of Healthcare
Organizations and Joint Commission Resources, Inc. documents.

Appendix IV: Elements of the Firewall Policies, as of 2006

                                Elements common to both                       
Elements unique to Joint     Joint Commission and JCR  Elements unique to  
Commission firewall policy   firewall policies         JCR firewall policy 
      o Staff may not seek or      o Staff may not           o Facilities     
      solicit information on       suggest that the use      using JCR's      
      whether or not a facility    of JCR consulting         consulting       
      has used JCR and is not      services is necessary     services are     
      provided this information    to obtain or influence    informed that    
      by the Joint Commission      Joint Commission          the Joint        
      or JCR representatives.      accreditation.            Commission is    
      o Survey teams are           o Staff may not access    not told that    
      instructed that              confidential              the facility     
      participation in JCR's       facility-specific         used JCR's       
      Continuous Service           information from, or      services and a   
      Readiness program (CSR)      share                     disclaimer to    
      is not considered in the     facility-specific         this effect is   
      accreditation process.       information with, the     included in JCR  
      o Joint Commission           other organization.       contracts.       
      surveyors may not discuss    o JCR staff may not       o Participants   
      any survey assignments,      access the Joint          in JCR's CSR     
      or possible assignments,     Commission's              program are      
      with any JCR consulting      Historical File           informed that    
      staff.                       Room.^a                   Joint Commission 
      o Joint Commission           o Staff at JCR may not    survey teams are 
      surveyors are instructed     access information        told that CSR    
      that survey report forms     about the application     participation is 
      may not include              of the Joint              not considered   
      information on whether or    Commission standards      in the           
      not the surveyed             or accreditation          accreditation    
      organization has used        procedures that is not    process.         
      JCR's services.              already available, or     o JCR            
      o A list of current JCR      will be made available    consultants may  
      staff is provided to the     promptly, to outside      not communicate  
      Joint Commission             parties.                  with surveyors   
      Historical File Room         o JCR staff may not       about specific   
      staff to allow them to       attend Joint              facility         
      monitor access.^a            Commission surveyor       accreditation    
      o Certain staff who have     training and may not      decisions, may   
      access to JCR financial      have access to            not in any way   
      and operational              surveyor educational      participate in   
      information as part of       tools not generally       the              
      their role in providing      available to outside      accreditation    
      services to JCR may not      parties.                  process as a     
      disclose JCR                 o All staff must sign     representative   
      organization-specific        a compliance statement    of the facility, 
      information to other         on an annual basis.^b     and may not      
      Joint Commission staff.      o The firewall policy     discuss the      
      o JCR publishes the Joint    is sent annually to       choice of        
      Commission's                 all staff, and is         surveyors for    
      accreditation materials      referenced in each        particular       
      and supplies their           organization's            facilities with  
      educational services.        conflict-of-interest      the Joint        
      These services are           policies, which staff     Commission.      
      promoted in Joint            are also required to      o All JCR        
      Commission and JCR           sign on an annual         promotional      
      materials. Any reference     basis.^b                  materials        
      in Joint Commission          o The firewall policy     related to       
      materials to JCR's           is covered during new     consulting       
      consulting services is       employee orientation      services are     
      generally limited to         and training.             reviewed by the  
      acknowledging JCR's          o Staff must report       Joint Commission 
      existence, its services,     any violation of their    Office of Legal  
      and the reason for its       organization's            Affairs.         
      creation.                    firewall policy to the    o JCR consulting 
      o Facilities asking for      Compliance Officer,       services         
      information on consulting    the Joint Commission      maintain         
      services are referred to     General Counsel, or       separate         
      the Joint Commission's       their organization's      offices,         
      central office. Staff at     management.               telephone        
      the central office will      o An annual review is     numbers, and     
      refer to the availability    conducted to ensure       computer systems 
      of JCR's services, and       appropriate separation    from the Joint   
      will also emphasize the      between the Joint         Commission.      
      separateness of the Joint    Commission                o JCR            
      Commission's                 accreditation             promotional      
      accreditation process        activities and JCR        materials are    
      from JCR's consulting        consulting services       limited to       
      services.                    and the results are       identifying JCR  
      o The firewall policy is     presented to the          as a nonprofit   
      posted on the surveyor       relevant board            affiliate of the 
      Web site.                    committees.               Joint Commission 
                                                             and the          
                                                             separateness     
                                                             between          
                                                             accreditation    
                                                             decisions and    
                                                             JCR's services   
                                                             should be        
                                                             identified.      

Source: GAO analysis of Joint Commission on Accreditation of Healthcare
Organizations and Joint Commission Resources, Inc. documents.

aThe Historical File Room is a secured space at the Joint Commission
offices in Oakbrook Terrace, Illinois.

bStaff are required to sign compliance statements signifying that they
have read, and agree to comply with, both the firewall policy and
conflict-of-interest policy that apply to their specific organization.

Appendix V: Comments from the Joint Commission on Accreditation of
Healthcare Organizations

Appendix VI: GAO Contact and Staff Acknowledgments

GAO Contact

Leslie G. Aronovitz, (312) 220-7600 or [email protected]

Acknowledgments

In addition to the person named above, Geraldine Redican-Bigott, Assistant
Director; Emily Gamble Gardiner, Thomas Han, Kevin Milne, Daniel Ries,
Janet Rosenblad, and Jessica Cobert Smith made key contributions to this
report.

(290499)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
[email protected] Automated answering system: (800) 424-5454 or (202)
512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

www.gao.gov/cgi-bin/getrpt?GAO-07-79 .

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact Leslie G. Aronovitz at (312) 220-7600 or
[email protected].

Highlights of [33]GAO-07-79 , a report to congressional requesters

December 2006

HOSPITAL ACCREDITATION

Joint Commission on Accreditation of Healthcare Organizations'
Relationship with Its Affiliate

Hospitals must meet certain conditions of participation established by the
Centers for Medicare & Medicaid Services (CMS) in order to receive
Medicare payments. In 2003, most hospitals--over 80 percent--demonstrated
compliance with most of these conditions through accreditation from the
Joint Commission on Accreditation of Healthcare Organizations (Joint
Commission). Established in 1986, Joint Commission Resources, Inc. (JCR),
a nonprofit affiliate of the Joint Commission, provides consultative
technical assistance services to hospitals. Both organizations acknowledge
the need to ensure that JCR's services do not--and are not perceived
to--affect the independence of the Joint Commission's accreditation
process.

GAO was asked to provide information on the relationship between the Joint
Commission and JCR. This report describes (1) their organizational
relationship, and (2) the significant steps they have taken to prevent the
improper sharing of information, obtained through their accreditation and
consulting activities, respectively, since JCR was established. GAO
reviewed pertinent documents, including conflict-of-interest policies and
information about the organizations' financial relationship, and
interviewed staff and board members from both organizations, JCR clients,
and CMS officials.

The Joint Commission and JCR have a close relationship as demonstrated
through their governance structure and operations. The Joint Commission
has substantial control over JCR and the two organizations provide
operational services to one another. For example, JCR manages all Joint
Commission publications, while the Joint Commission provides support
services to JCR. Despite the Joint Commission's control over JCR, the two
organizations have taken steps designed to protect facility-specific
information. In 1987, the organizations created a firewall--policies
designed to establish a barrier between the organizations to prevent
improper sharing of this information. For example, the firewall is
intended to prevent JCR from sharing the names of hospital clients with
the Joint Commission. Beginning in 2003, both organizations began taking
steps intended to strengthen this firewall, such as enhancing monitoring
of compliance.

Ensuring the independence of the Joint Commission's accreditation process
is vitally important. To prevent the improper sharing of facility-specific
information, it would be prudent for the Joint Commission and JCR to
continue to assess the firewall and other related mechanisms.

Relationship between the Joint Commission, JCR, and Hospitals

The Joint Commission agreed with GAO's concluding observations. CMS did
not comment on GAO's findings or concluding observations. Both provided
technical comments, which we incorporated as appropriate.

References

Visible links
  24. http://www.gao.gov/cgi-bin/getrpt?GAO-04-850
  33. http://www.gao.gov/cgi-bin/getrpt?GAO-07-79
*** End of document. ***