Compliance Ticket Management SOP and Checklists
Overview
This Standard Operating Procedure operationalizes POL-003: Compliance Reporting, Investigation, and Resolution. It defines required actions, owners, timelines, and documentation standards for managing compliance tickets.
Ticket volume assumption: Low volume (fewer than 25 tickets per year).
Oversight model: Compliance Officer with Compliance Committee governance.
Tools: OSticket (primary ticketing system), anonymous reporting web form (https://anonymous.abaswma.com/), HIPAA-compliant cloud storage.
Roles
| Role | Responsibilities |
|---|---|
| Compliance Officer (CO) | Owns the compliance ticketing process. Performs triage. Assigns Case Owners. Determines escalation and reporting obligations. Approves case closure. |
| Case Owner / Investigator | Manages day-to-day investigation activities. Maintains working case documentation. Develops findings and corrective actions. |
| Compliance Committee | Reviews high-risk, sensitive, or systemic cases. Reviews trends and aggregate reporting. |
Lifecycle Steps
Step 1: Intake and Logging (Day 0-1)
Owner: Compliance Officer or designee
Actions:
- Create a compliance ticket immediately upon receipt of a concern. For submissions received through the anonymous web form (https://anonymous.abaswma.com/), the email notification to the compliance monitor serves as the initial receipt. The compliance monitor logs the ticket in OSticket (manually or via auto-routing).
- Assign a unique Ticket ID (generated by OSticket upon ticket creation).
- Capture the original narrative verbatim.
- Record intake source and date/time.
- Restrict access to intake record.
Checklist:
- [ ] Ticket created
- [ ] Original narrative preserved verbatim
- [ ] Intake source documented
- [ ] Access restricted
Artifact: Unredacted Intake Record (Form 1)
Step 2: Triage and Risk Classification (Within 1-2 Business Days)
Owner: Compliance Officer
Actions:
- Assess credibility and urgency.
- Identify applicable oversight bodies (MassHealth, commercial payers, HIPAA, or the MA Board of Allied Mental Health).
- Assign risk level (Low / Medium / High / Critical).
- Assign Case Owner.
- Determine need for interim controls.
Checklist:
- [ ] Credibility assessed
- [ ] Risk level assigned
- [ ] Oversight bodies identified
- [ ] Case Owner assigned
- [ ] Interim controls considered
Artifact: Triage and Risk Classification Form (Form 3)
Step 3: Redaction and Working Case Creation
Owner: Compliance Officer
Actions:
- Create a redacted working version of the intake.
- Remove reporter identity unless required by law.
- Remove unnecessary PHI or identifiers.
- Preserve original intake separately.
Checklist:
- [ ] Reporter identity removed (if applicable)
- [ ] Unnecessary PHI removed
- [ ] Original intake preserved
- [ ] Redaction log completed
Artifacts: Redacted Working Case File, Redaction Log (Form 2)
Step 4: Aggregation and Pattern Review
Owner: Case Owner
Actions:
- Review prior compliance tickets for related issues.
- Determine whether issue is isolated or systemic.
- Document related ticket IDs.
- Escalate to Compliance Committee if systemic risk is identified.
Artifact: Aggregation and Pattern Review Form (Form 4)
Step 5: Investigation
Owner: Case Owner / Investigator
Actions:
- Document investigation plan and scope.
- Collect and preserve evidence.
- Conduct interviews if applicable.
- Maintain evidence log.
- Separate factual findings from analysis.
- Disclose any conflict of interest and recuse if necessary (per POL-003, Section 5.5).
- Recommend referral to outside counsel if the matter exceeds in-house capabilities or involves potential legal liability.
Checklist:
- [ ] Investigation plan documented
- [ ] Scope defined
- [ ] Conflict of interest assessed and documented
- [ ] Evidence logged and preserved
- [ ] Interviews documented
- [ ] Findings supported by evidence
- [ ] Outside counsel need evaluated
Artifacts: Investigation Plan (Form 5), Evidence Log (Form 6), Interview Summaries (Form 7)
Step 6: Findings Determination
Owner: Case Owner, reviewed by Compliance Officer
Actions:
- Classify each allegation as substantiated, unsubstantiated, or inconclusive.
- Reference supporting evidence.
- Cite applicable policy or regulatory standards.
Artifact: Findings Summary (Form 8)
Step 7: Resolution and Corrective Action
Owner: Compliance Officer
Actions:
- Identify root cause.
- Develop Corrective Action Plan (CAP) for substantiated findings.
- Assign owners and deadlines.
- Define verification method.
Checklist:
- [ ] Root cause identified
- [ ] CAP documented
- [ ] Owner assigned
- [ ] Deadline set
- [ ] Verification method defined
Artifact: Corrective Action Plan (Form 9)
Step 8: Notification and Reporting
Owner: Compliance Officer
Actions:
- Identify internal notification recipients.
- Complete required notifications.
- Determine external reporting obligations.
- Document reporting or non-reporting decisions with rationale.
Checklist:
- [ ] Internal notifications completed
- [ ] External reporting evaluated
- [ ] Reporting decisions documented
Artifacts: Notification Log (Form 10), External Reporting Record (Form 11)
Step 9: Closure and Follow-Up
Owner: Compliance Officer
Actions:
- Confirm investigation completion.
- Confirm CAP completion or scheduling.
- Complete closure summary.
- Schedule follow-up monitoring if required.
Checklist:
- [ ] Investigation complete
- [ ] CAP completed or scheduled
- [ ] Documentation finalized
- [ ] Closure approved by Compliance Officer
- [ ] Follow-up scheduled if required
Artifact: Case Closure Summary (Form 12)
Record Retention
Compliance tickets and associated documentation are retained for a minimum of six to ten years, depending on issue type and applicable regulatory requirements. Records are stored securely with role-based access controls.
Forms Reference
All forms referenced in this SOP are maintained in the Compliance Ticket Forms and Templates Pack (CFM-005):
| Form | Title |
|---|---|
| Form 1 | Compliance Intake Form (Unredacted, Restricted) |
| Form 2 | Redaction Log |
| Form 3 | Triage and Risk Classification Form |
| Form 4 | Aggregation and Pattern Review Form |
| Form 5 | Investigation Plan Template |
| Form 6 | Evidence Log |
| Form 7 | Interview Summary Template |
| Form 8 | Findings Summary |
| Form 9 | Corrective Action Plan (CAP) |
| Form 10 | Notification Log |
| Form 11 | External Reporting Record |
| Form 12 | Case Closure Summary |