The updated General Compliance Program Guidance (GCPG) from the Office of the Inspector General (OIG) is an extremely helpful reference with an easy-to-understand user’s guide. As Shawn DeGroot noted in her recent look at top takeaways from the document, “The GCPG should be used to establish a compliance program, clarify roles and responsibilities, identify risks, and align current policies and procedures with what should be done.” 
 
Compliance officers can make the most of the new GCPG to meet the requirements of the OIG’s seven elements in a relevant and meaningful way. Below are recommendations – with tips for each of the seven elements – on how the new GCPG can help you develop and maintain your organization’s compliance program.  

Element 1 (page 33): Written Policies and Procedure 

• An organization’s Code of Conduct, which reflects its mission, vision and goals, should be revised regularly. Each employee and board member should read and acknowledge the Code of Conduct, reflecting their attestation to act ethically and comply with federal and state laws and regulations. 
• Policies around billing, coding, marketing, quality of care, and physician and vendor arrangements should be reviewed regularly. This means they should be revised if necessary, and a system should be created and maintained with outdated or retired policies.  

Element 2 (page 37): Compliance Leadership and Oversight 

• Organizations should designate a compliance officer who reports to the Board of Directors and/or the CEO directly. This person should have the authority and resources necessary to implement an effective compliance program.  
• All organizations’ compliance committees should support the compliance officer in carrying out the compliance program objectives. The committee should meet no less than quarterly.  
• The Board of Directors should oversee compliance, as they have a fiduciary duty to understand compliance operations and organizational risks.  

Element 3 (page 46): Training and Education  

• Make clear the identity and role(s) of the compliance officer and the compliance committee. 
• Be sure to highlight ways that individuals can raise compliance concerns or questions. Support an environment of nonretaliation. 
• Organizations should have a system to monitor training and education completion by every employee, contractor, student, and volunteer. 

Element 4 (page 50): Effective Lines of Communication  

• Organizations should allow confidential or anonymous reporting of concerns. This could be done through a hotline number, a website, an email, or mail.  
• Organizations then should develop and maintain a disclosure log and reported concerns.  

Element 5 (page 53): Enforcing Standards – Consequences and Incentives 

• Ensure that consequences for noncompliance are well-known throughout the organization. To deter noncompliance, these consequences should be consistently applied and enforced.   
• Develop incentives, such as staff recognition, to promote and encourage participation in the organization’s compliance program.  

Element 6 (page 55): Risk Assessment, Auditing, and Monitoring 

• Utilize risk-assessment tools to identify, analyze, and appropriately respond to organizational risks.   
• Develop and implement an auditing and monitoring plan and calendar for due dates. These audits can be conducted by internal or external auditors.  

Element 7 (page 59): Responding to Detected Offenses and Developing Corrective Action Initiatives 

• Investigate alleged violations. Summarize the investigative process and investigation findings, and report it all to the compliance committee, CEO, and Board.  
• Report misconduct or noncompliance to the appropriate governmental agency, as required. For example, in accordance with HIPAA breach notification requirements.  

As healthcare delivery systems become more complex, compliance professionals need to develop and implement compliance programs that are robust enough to provide a good foundation yet flexible enough to allow for change. Mapping the OIG’s new GCPG document to the seven elements can help compliance officers start the new year from a place of strength. 

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal, and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix and Vice President of the company’s self-insurance captive.  

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.

Get the latest from healthcare compliance experts  

Never miss an article by Denise Atwood. Sign up for YouCompli’s weekly email if you have not already.

The post How the OIG’s New General Compliance Program Guidance (GCPG) Addresses the Seven Elements   first appeared on YouCompli.

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) recently issued a warning regarding online tracking technologies. Because they pose risks to patient privacy and security, it is important for compliance pros to understand them and, of course, comply with applicable federal laws. Compliance officers also should partner with their Information Technology (IT) and risk management departments to ensure their organizations protect patient privacy and minimize security risks.  

Tracking Technologies  

It is good to start by understanding Internet browser tracking. Whenever a person browses the Internet or performs an Internet search, every link clicked, and each website visited is recorded. Websites then place small amounts of this data, known as cookies, on users’ electronic devices to track their browsing activity. They do this to help people more quickly access and search for material they frequently are interested in, as well as to deliver ads they may find useful. However, some people have found ways to use this tracking technology to access those cookies and acquire/share the personal data – including health information – they contain.  

To protect patients’ privacy and adhere to federal law, compliance professionals must understand what online patient data is being tracked and used by their organization’s website, social media pages, and payment portals. 

GFC Global, a nonprofit program, provides free and easy-to-understand videos on digital tracking. GFC Global focuses on the potential for website hacking and the sale of patient information. You will notice their site asks about sharing your cookies before you can access it! Once acknowledged, you can access their videos. 

Heeding the Warning 

Within the healthcare space, the OCR enforces HIPAA Security and Breach Notification Rules (HIPAA Rules), and the FTC protects the public from deceptive business practices. In a joint letter the two agencies released earlier this year, they expressed concerns “about the use of online tracking technologies such as Google Analytics and Meta Pixel in violation of HIPAA.” OCR Director Melanie Fontes Rainer noted, “Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website.” The OCR is using its resources to address this concern.  

Similarly, Samuel Levine, director for the FTC’s Bureau of Consumer Protection, explained, “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue to do everything in our powers to protect consumers’ health information from potential misuse and exploitation.” With the OCR and FTC focusing on these issues, compliance professionals should as well so they can best support their organization and their patients. 

Protecting Patient Privacy 

Impermissible disclosure of a patient’s personal health information (PHI) violates the HIPAA Privacy Rule and can result in harm to the patient. A year ago, the OCR issued a bulletin to remind HIPAA-covered entities of their obligations under the HIPAA Rules.  

HIPAA Rules prohibit regulated entities from using tracking technologies that could result in impermissible disclosures of PHI, including electronic PHI or ePHI. When tracking technologies gather information about users without their knowledge, there is a risk that users’ health information can be misused, sold, or otherwise exploited.  

The bulletin provides specific examples of how the HIPAA Rules apply to regulated entities’ use of tracking technologies. It covers tracking on user-authenticated (where the user must log in) and unauthenticated websites, as well as tracking within mobile applications and adhering to HIPAA compliance obligations.  

The bulletin emphasizes that HIPAA-regulated entities and their business associates must follow the law. Compliance professionals must ensure that business associates that use tracking technologies complete a business associate agreement and comply with HIPAA Rules. A joint risk audit of your vendors involving compliance and IT would demonstrate such due diligence.  

Following OIG (Office of the Inspector General) Guidance 

To protect patient PHI and ePHI, the OIG recommends following guidance with regard to online tracking technologies: 

• User-authenticated websites, such as patient portals, must use and disclose ePHI in compliance with the HIPAA Privacy Rule (45 CFR part 160 and s45 CFR part 164, subparts A and E) and ensure compliance with the HIPAA Security Rule (45 CFR part 164, subparts A and C).  
• Unauthenticated websites – those that do not require logging in – are, in most cases, not regulated by the HIPAA Rules. However, the HIPAA Rules may apply in some instances. For example, if a patient accesses an online portal to schedule an appointment and the tracking technology collects the patient’s date of birth or email address, HIPAA Rules apply.  
• Mobile applications offered by a regulated entity to manage appointments or pay for services are considered ePHI and thus regulated by HIPAA Rules. Moreover, compliance professionals should confirm whether these applications collect information such as fingerprints, device IDs, or network locations, which are considered PHI and covered under the HIPAA Rules. 

Compliance professionals who work for regulated entities are required to follow HIPAA Rules to protect patient PHI and ePHI when tracking technologies are used or offered by their healthcare organization. It is prudent for compliance officers to collaborate with their IT and risk management departments. Working together, they can ensure that their organization is aware of which websites and applications use tracking technology and determine the best way to mitigate patient privacy and security risks. 

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal, and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix and Vice President of the company’s self-insurance captive.  

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts  

Never miss an article by Denise Atwood. Sign up for YouCompli’s weekly email if you have not already.   

The post Mitigating Risks from Online Tracking Technologies  first appeared on YouCompli.

With children back in school, well-visit checkups and sports physical appointments are opportunities for providers to evaluate and discuss mental health. School-aged kids – ages 5 to 17 – face a mental health crisis, and they need all the support they can get. Youth intervention may not be a traditional focus area for compliance professionals, but they can be instrumental in confronting this crisis. They can help educate pediatric providers about how to access and use mental health screening and prevention tools.   

Youth Mental “Unhealth”

Unfortunately, statistics demonstrate the sad state of mental health in school-aged children. Mental Health America – a nonprofit organization with free online resources on youth mental health – found that more than 2.7 million children experience severe depression. Rates of a severe depressive episode are highest among youth who identify as more than one race. 

Also, U.S. News & World Report recently found that about 15% of American school-aged children have undergone some form of mental health treatment. While those statistics are staggering, they only count diagnosed and treated children; sadly, many are never diagnosed or treated for their mental health needs.   

Early identification is key to getting kids mental health services. This is where compliance professionals and pediatric providers can collaborate to improve youth mental health.   

Identifying the Need for Intervention  

ECRI’s chief medical officer, Dheerendra Kommala, M.D., recently summarized the challenges around providing mental health services for youth. He said, “Structural barriers and bias block access to high-quality mental healthcare for youth of color and LGBTQ youth despite the fact they are more likely to experience depression and anxiety, and attempt suicide at higher rates.”    

To identify the need for mental health intervention, providers typically use assessment tools that offer information about mental, emotional, behavioral, and social needs. Once those needs are identified, a provider can refer the child for further care, treatment and/or additional resources.   

While youth intervention is not a traditional focus for compliance professionals, they have an important role to play here. Ensuring that assessment tools are easily available for pediatric providers – online, on paper, or in an electronic medical record template – is a critical area where compliance officers can be instrumental in youth intervention.  

Below are starting points for compliance professionals to use to connect providers with tools for mental health assessment and prevention. 

Mental Health Tools for Providers   

The American Academy of Pediatrics has a variety of free mental health tools and resources for providers as well as resources for families. The Mental Health Tools for Pediatrics is a comprehensive table that provides the names of assessment tools and descriptions, along with links to tools (for those with free access).   

Compliance professionals can ensure pediatric providers know how to access and use the online tools. It’s also helpful for compliance professionals to collaborate with the organization’s information technology department to integrate the most-used tools into the electronic medical record.   

Also useful is the Substance Abuse and Mental Health Services Administration (SAMHSA) website, which offers an abundance of free information and tools. SAMHSA even has an evidence-based practices resource center that compliance professionals can share with providers to help develop patient best practices.  

Additionally, SAMHSA provides free practitioner education, training, and resources on topics including technical assistance for substance use prevention, behavioral health treatment, suicide prevention, and infant and early childhood mental health.  

Educating Children and Caregivers 

To educate school-aged children, compliance professionals should make sure providers offer information and materials during clinic visits. This includes details like where to call for help, such as:  

• Call 911 if you feel threatened or you are in danger.   
• Call 988 if you are in a crisis or want to harm yourself and don’t have anyone to talk to.  

Also, compliance professionals can help providers educate parents and caregivers on how to identify mental health issues or substance use. Resources include:  

• Talk. They Hear You – A campaign to reduce drinking and substance use that provides resources for discussing these issues with children. It’s intended for parents, guardians, and providers.  
• Mental Health Awareness Month – While May is the official recognition month, the campaign’s resources are useful year-round for education and support on mental health issues.  

The data is clear: providers and parents need our help to improve pediatric mental health. Millions of children are struggling, and we need to work together to ensure that every child who needs help gets it. Compliance professionals can positively impact pediatric patient care by assisting providers with education and making sure they can access – and know how to use – mental health assessment and prevention tools.    

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal, and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix and Vice President of the company’s self-insurance captive.  

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts  

Never miss an article by Denise Atwood. Sign up for YouCompli’s weekly email if you haven’t already.   

The post Our Youth Mental Health Crisis: How Compliance Can Help Providers Address It   first appeared on YouCompli.

Mitigating fraud, waste, and abuse (FWA) is taking on a new urgency for healthcare compliance professionals. Enforcement agencies are prioritizing efforts to deter FWA as more individuals enroll in government healthcare programs like Medicare and Medicaid, and telehealth services continue to evolve post-pandemic.  

Compliance professionals can help their organizations reduce FWA with a “prevent, detect, report” strategy, guided by recommendations from the Office of the Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS). This three-pronged strategy focuses on educating patients and staff about how to avoid misconduct. It also emphasizes training individuals on how to recognize and report FWA violations when they see them. Integrating this strategy into your compliance culture can help your organization avoid penalties and deliver compliant patient care. 

Enforcement Priorities  

The Inspector General of the U.S. Department of Health & Human Services (HHS) recently shared focus areas for the OIG, which is working to identify facility compliance weaknesses including financial integrity and FWA. According to a recent Semiannual Report to Congress, the OIG expects audit recoveries of more than $1 billion and more than $2.7 billion in investigative recoveries from more than 1,400 criminal and civil actions. In addition, the OIG excluded more than 2,300 individuals and entities from federal programs. Given the severity of penalties associated with FWA, compliance professionals’ knowledge and skills will be crucial to ensuring that their organizations avoid penalties and provide compliant patient care.  

In addition, CMS education and outreach focuses on preventing, detecting, and reporting Medicare fraud and abuse. This aligns nicely with the OIG’s efforts to identify facility financial integrity weakness because the OIG accepts FWA tips and complaints from many sources. Compliance professionals as well as healthcare workers and employees, providers and patients, and insurance companies can file potential complaints.   

Compliance professionals can help combat FWA by educating patients and training staff on how to identify and report potential violations. Here’s where the “prevent, detect, report” concept comes into play.  

Step 1: Prevent  

To educate patients about FWA, compliance professionals can create materials for waiting rooms that give simple examples of what FWA looks like. For example, they can describe how to read a billing statement and identify services or supplies that were not provided. They also could record short videos for the organization’s website with examples of FWA and where to confidentially report such activities.   

For staff, compliance officers should support annual online FWA compliance training. In addition, they can create educational flyers that address situations staff may encounter, such as what to do if a provider is ordering medically unnecessary services or tests or knowingly billing for services at a level of complexity higher than the services actually delivered. 

Look to OIG’s seven elements as you implement the “prevent” part of your strategy. Prevention is aligned with Element 1 – implementing written policies, procedures and standards of conduct – as you’re developing policies and procedures to protect patients’ personal health information. And Element 3 – conducting effective training and education – is in play as training helps staff feel confident that they know the proper billing procedures and codes.    

Step 2: Detect  

According to CMS, the distinctions between fraud, waste, and abuse depend on the facts, circumstances, intent, and knowledge of the activity. Compliance professionals should highlight examples in their training materials to help organization staff better identify:  

• Abuse – Improper billing such as upcoding, when an inaccurate or a different code is used to increase the reimbursement amount to the provider or facility.   
• Fraud – Billing for supplies or services that were not given or provided to the patient. 
• Waste – Ordering services that are excessive, such as additional laboratory tests or diagnostic images.   

There also should be education on other important, but less recognizable, types of Medicare or Medicaid fraud. These include: 

• Insurance card sharing – Allowing a family member to impersonate the insurance card holder to receive care. 
• Drug diversion – Obtaining services and prescriptions for back pain, for example, and giving pain medication to someone else.  
• Program eligibility – Misstating information or lying during enrollment to obtain insurance.  

You can find real-life cases of Medicare fraud and abuse, and the consequences for offenders, on the OIG’s Medicare Fraud Strike Force website. 

Again, you can turn to the OIG’s seven elements to guide these efforts. Detection touches on Element 4, developing effective lines of communication, as staff and patients alike must feel comfortable reporting concerns to the compliance department or hotline. Element 5 – conducting internal monitoring and auditing – is the foundation of detection and should be aligned with the department’s compliance workplan. Finally, Element 6, enforcing standards through well-publicized disciplinary guidelines, includes sharing patients’ rights to promote patient privacy. Moreover, the process for deviations in the standards is clearly defined and made known to staff and patients alike. 

Step 3: Report  

Once any of the above activities are discovered, compliance officers should educate patients and staff on how to report FWA. This is critical to enabling the organization to avoid misconduct and maintain fiscal integrity.  

First, compliance officers should widely post information for patients and staff on where and how to report potential FWA. This could include how to submit a hotline report on the HHS-OIG website. Moreover, compliance professionals should report activities such as upcoding or unbundling in a timely manner so overpayments can be promptly returned. This helps maintain the financial integrity of the organization and prevents staff from engaging in abusive practices that could result in violations of civil or criminal laws.  

Finally, refer to the OIG’s seven elements for the “report” aspect of your strategy. Reporting involves Element 2 – designating a compliance officer and compliance committee – as deviations in policy or breaches of information can be reported appropriately to internal and external stakeholders. And Element 7, responding promptly to detected offenses and undertaking corrective action, aligns directly with the reporting responsibility. It may also involve notification to patients if their protected health information has been compromised.  

Delivering compliant care means educating staff and patients about how to prevent, detect, and report FWA. Compliance officers should keep patient care front and center in their training and education efforts, while making the most of the OIG’s guidance and CMS resources. This type of focused strategy – prevent, detect, and report – enables compliance teams to support patient-centered care that focuses on doing the right thing. 

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal, and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix and Vice President of the company’s self-insurance captive.  

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts  

Never miss an article by Denise Atwood. Sign up for YouCompli’s weekly email if you haven’t already.   

The post Improving Patient Care With a “Prevent, Detect, Report” Strategy   first appeared on YouCompli.

An opportunity to reframe, regroup, and refocus 

Now that the COVID-19 Public Health Emergency (PHE) is well behind us, we have an opportunity to reframe patient expectations – and regroup and refocus on compliance-related patient care needs. As health care organizations return to business as usual, it’s time to ensure that we’re delivering health care services in a compliant and compassionate way.   

The main goal for reframing patient care should be to ensure we express and genuinely meet patient needs as they actually are – not what we think they are. As the journal Nurse Leader explained, “It is time for health care … to create our version of how we can professionally and compassionately reframe the expectations of the care we can deliver.”   

From a compliance perspective, this means supporting care teams based on the principles of social determinants of health (SDOH), such as understanding how to access affordable health insurance or obtaining transportation for follow-up appointments. It’s an important way that compliance professionals can reinforce the delivery of seamless patient care.  

There are three key components of a “reframe, regroup, and refocus” strategy in practice. I’ll describe each of them in more detail here.  

1. Social Determinants of Health   

It all starts with acknowledging SDOH for your patient population. These are “the conditions in the environment where people are born, live, learn, work, play, worship, and age that affect a wide range of health, functioning, and quality-of-life outcomes and risks.” When reframing patient expectations, be sure to evaluate their SDOH and refocus, where applicable, on how to best meet your patient population’s needs.    

SDOH are generally grouped into five areas, including:  

1. Social and community – Access to fresh food, and the ability to participate in social activities  
2. Quality education – Access to schools, language, and literacy skills  
3. Neighborhood and built environment – Feeling safe and having basic needs met, such as clean water and reliable transportation 
4. Economic stability – Job opportunities, affordable housing, affordable health care, etc.  
5. Health care – Access to quality health care, and the ability to obtain health insurance  

Compliance professionals can survey patients on these five areas to help their organizations reframe patient care expectations and understand what’s important to them related to care.   

After reframing appropriately, compliance professionals can help their organizations regroup by learning – and then educating other staff – about SDOH. You can use commercially available tools or create your own. Also, compliance teams can conduct audits to ensure that their organizations use current federal poverty levels when creating a sliding fee scale (SFS) to estimate payment for services rendered.       

Once SDOH are more commonly understood, compliance teams then can help refocus their organizations by assisting colleagues in filling gaps between what patients need and what the organization currently does. For example, there should be a policy and process to enroll patients in insurance plans, such as Medicaid or Affordable Care Act (ACA) health plans. This could also mean making sure organizations comply with a sliding fee discount program for health care services, when applicable, and educating staff on how to apply SFS payments appropriately.     

2. Seamless Care  

In reframing patient expectations, it is reasonable to expect that patients want seamless care. When patients are satisfied in this area, it typically means organizations do a couple of things well.   

First, providing seamless care means evaluating patients’ health literacy and meeting them where they are. This includes ensuring that documents such as patient surveys, consents, education materials, and discharge instructions are provided in the languages spoken by your patient population. It’s standard now to offer those materials at a fifth or sixth grade reading level, using everyday terms and not medical jargon. These materials also should be easily accessible in print and online.   

In helping their organizations refocus on patient needs, compliance professionals should review transportation-related policies to help colleagues better understand how to request transportation for patients when needed. They also should review transportation contracts to evaluate if transportation carriers are meeting contract deliverables.    

Second, seamless care means having reasonably priced, reliable, and dependable transportation from home to medical, laboratory, or diagnostic appointments.

Compliance professionals can partner with social services or care management to survey patients who use transportation services and evaluate how satisfied they are with those services.   

3. Compliant Care  

The third key component of delivering proper patient care is ensuring that care is compliant. Even if patients may not recognize compliant care, that does not make it any less important. Compliance professionals are instrumental in the delivery of compliant care by helping organizations focus on:  

• Patient safety – Preventing patient harm  
• Patient privacy and security – Preventing the unauthorized access or use of patient information, and maintaining patient confidentiality   
• Patient billing – Preventing fraud, waste, and abuse    

Compliance professionals can assist their care teams in delivering compliant care by:   

• Reframing what patient safety looks like from the patient’s perspective. Compliance professionals should conduct routine facility audits to evaluate for areas of potential harm, such as loose stair railings or spaces where patient information can be easily overheard by others.     
• Regrouping on patient billing. Compliance professionals can collaborate with coding professionals to audit patient bills and make sure the care was needed and billed at the appropriate level.    
• Refocusing on education. Compliance professionals can help provide education in areas where billing and coding might be difficult or confusing.   

A “reframe, regroup, refocus” approach enables compliance teams to work with other departments to provide excellent patient-centered care. Compliance professionals’ guidance was crucial to health care organizations throughout the pandemic. Now, post-PHE, it’s time to reframe, regroup, and refocus to make sure organizations are delivering quality care that meets patients’ needs.  

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal, and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix and Vice President of the company’s self-insurance captive.  

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.   

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management  

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.  

Get the latest from healthcare compliance experts 

Never miss an article from Denise Atwood. Sign up for YouCompli’s weekly email if you haven’t already.  

The post How to Deliver Patient-Centered Care in a Post-Covid World first appeared on YouCompli.

How Compliance Can Leverage the OIG’s 7 Elements and HHS Roadmap  

With the end of the COVID-19 Public Health Emergency (PHE) coming in May, many healthcare compliance leaders are in the process of slowly returning their organizations to normal. Let’s revisit the seven elements and how they can help you shape the patient experience. Reviewing operations in the context of the seven elements can help you ensure that your organization has a smooth transition back to pre-pandemic operations.  

Relying on the Seven Elements and the HHS Roadmap as Resources 

Months ahead of the COVID-19 PHE expiration date, the U.S. Department of Health & Human Services posted a fact sheet and transition roadmap. It addressed which patient care and services will – and won’t – be affected, and it remains a helpful guide now.  
 
The seven elements in the OIG’s effective compliance program are also useful as we consider how to best deliver quality patient care post-PHE. Each element is an opportunity for compliance officers to position their organization to provide the best patient care. 

1. Implementing Written Policies, Procedures and Standards of Conduct 

From a patient perspective, complying with this element means ensuring that staff are educated and aware of written policies and procedures. For example, the following services will not be affected post-PHE: 

• Medicare and Medicaid telehealth visit flexibility 
• Access to COVID-19 vaccines 
• COVID-19 treatments such as Paxlovid and Lagevrio 

As we restore standard operations, prioritize reviewing policies and procedures for staff to ensure they are current. It’s also critical to create standards of conduct for staff and hold them accountable to those standards. Be sure to implement ongoing staff education programs.  

2. Designating a Compliance Officer and Compliance Committee 

For patients, this element involves ensuring that they have a point of contact for filing a complaint or grievance. Be sure they can do so anonymously, if they choose. Post-PHE, we can anticipate that complaints and grievances may focus on improper:  

• Billing for telehealth visits 
• Copays for medications 
• Scheduling of in-person appointments, when the patient requested a telehealth appointment  

Compliance officers may want to emphasize reviewing the processes and procedures around billing and coding. Also review your practices to be sure staff receive updated education on charging and collecting proper copays. 

3. Conducting Effective Training and Education

Compliance leaders fulfill the third element by helping to ensure that patients understand what services are affected when the PHE has expired. Compliance officers are instrumental to making sure patients know details such as:  

• That access to free over the counter COVID-19 tests has ended, unless there is a state waiver in place
• That reporting COVID-19 test results is no longer mandatory for all healthcare providers 
• That they have the option to continue receiving care via telehealth, when clinically appropriate 

This element calls on you to ensure that training materials are easy to understand and are shared in a variety of formats. Some effective formats include online on the patient portal and verbally at registration. 

 4. Developing Effective Lines of Communication

This element involves making sure patients are comfortable asking about the organization’s policies and procedures related to the PHE and more. 

Compliance leaders can implement this element in several ways, including by: 

• Providing patients and staff with easy-to-read materials regarding changes post-PHE 
• Posting the grievance policy in multiple areas and in the top languages spoken in the community 
• Ensuring that employees know how to contact Compliance and how to find the compliance hotline number 
• Checking in with compliance champions, or liaisons, to see what’s happening in departments and clinics throughout the organization and timely addressing concerns 

5. Conducting Internal Monitoring and Auditing 

The fifth element extends to patient privacy after the PHE. Among the compliance activities to prioritize post-PHE, the compliance officer should help make sure staff are educated on how to:  

• Protect patient privacy and confidentiality during registration 
• Protect patient health information so it is not visible to other patients or visitors 
• Follow the compliance workplan to provide compliant, consistent, and confidential patient care   
• Understand benchmark audit data  

6. Enforcing Standards with Accountability 

The goal of the sixth element is to ensure operational responsibility. Its correlation to patient care primarily focuses on making sure patient services are delivered in a compliant manner.  
Using a post-PHE lens means supporting patients in understanding what service and billing changes will occur, such as collection of copays for telehealth visits. During the PHE, providers were permitted to reduce or waive cost-sharing copayments or deductibles for telehealth services provided to Medicare beneficiaries. After the PHE expires May 11, full Medicare copayments for telehealth services must be charged and collected. Again, this element requires compliance leaders to provide staff education and training and then hold staff accountable to the current regulations and policies. It also involves reporting any compliance infractions to the employee’s supervisor, compliance committee, and the board, if needed.   

7. Responding Promptly to Identified Offenses and Undertaking Corrective Action 

This is where compliance leaders can lead by example when it comes to being responsive to patients’ concerns. Compliance officers can help ensure that staff take prompt action to improve the patient experience by:  

• Confirming whether the patient is requesting a telehealth or in person visit  
• Providing timely responses to written complaints or grievances 
• Promptly correcting billing problems and processing refunds quickly 
• Correcting copayment mistakes during the visit  

Compliance leaders are responsible for requesting timely corrective action plans, as needed, and reporting disciplinary actions to the board and required regulatory body, if needed. 

Patients may see the end of the PHE as a welcome sign of everyday life returning to normal. For compliance officers, post-PHE preparations have been as extensive as the pivots required when the pandemic first hit. Relying on the OIG’s seven elements and the HHS roadmap can help compliance professionals best support their organization in the transition to pre-pandemic operations.  

Help Working with Operations

YouCompli subscribers can manage tasks and activities related to the end of the public health emergency with our workflow tool. Compliance can send notifications of regulatory changes to operations. Our solution enables the right people in the right departments to update policies and procedures as well as monitor the progress of the required changes. The YouCompli dashboard, embedded in our verify feature, enables Compliance to monitor the process and verify that the work gets done by the deadline. Find out how.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC 

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG. 

---

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

---

Never miss an article from healthcare compliance experts

The post Post-PHE Preparations: Ensuring Quality Patient Care  first appeared on YouCompli.

Using the OIG’s seven elements as a guide to delivering better patient care 

Healthcare Compliance professionals tend to focus, rightfully so, on the regulations and organization requirements around providing quality patient care and keeping patients safe. But what if compliance officers focus on the impact these regulations have on a patient’s experience?  

Consider the seven elements in the OIG’s guidance on effective compliance programs. Of course, they concentrate on compliance and measuring the effectiveness of your program.

Yet they’re also key to providing a better patient experience. Below is a look at the seven elements and how each one shapes the way that patients perceive their experience. This reframing of the work of the Compliance department can help you engage your clinical and operational colleagues more effectively. It aligns your goal – an effective compliance program – with theirs – a great patient experience.

The OIG’s seven elements align quality patient care with compliance 

The connection to patient care for some of the elements is obvious. And there’s overlap among the elements, particularly regarding education and training. Altogether, the elements are a reminder of all the ways compliance officers influence how their organization provides patient care.

1. Implementing written policies, procedures, and standards of conduct 

This is among the most straightforward elements for demonstrating how compliance officers shape patient care. Complying with this element – from a patient perspective – means ensuring that staff are educated and aware of their roles in 

• Protecting patients’ personal health information 
• Billing patients’ services correctly 
• Providing patients’ medical records when they request them. 

Compliance officers have three main roles in this. The first is to develop policies for staff, continually reviewing them to ensure they’re current. Next is to create standards of conduct for staff. Finally, the compliance team writes and implements ongoing staff education programs. All are critical for delivering superior patient care. 

2. Designating a compliance officer and compliance committee 

For patients, this element involves ensuring that they have a point of contact for filing a complaint or grievance. It’s also about enabling patients to report their concerns anonymously.

The focus is on the foundational work of maintaining a compliance program and keeping current on regulatory changes. It involves a range of compliance responsibilities, including gauging program effectiveness by evaluating for conflicts of interest, providing a venue for reporting to the organization’s board of directors or executive leaders, and developing and implementing an annual compliance workplan. 

3. Conducting effective training and education

Compliance officers fulfill this element in multiple ways, including by helping to ensure that patients can 

• File a complaint or grievance without fear of retaliation or cancellation of future appointments 
• Feel confident their care team knows what they are doing, and
• Receive clear instructions on how to use the organization’s patient portal 

It’s about more than developing and implementing education programs for employees. It’s about compliance officers fostering a culture of compliance. This means conducting rounds or in-person education sessions with the employees to evaluate compliance-based knowledge and ensuring that training materials are easy to understand. Another key is recruiting and training compliance champions – individuals who can act as liaisons between patients, staff, and Compliance.

4. Developing effective lines of communication 

The fourth element involves making sure patients are comfortable asking about the organization’s policies and practices. It means ensuring that patients feel like they’re listened to at appointments and are treated like their health-related concerns are valid.  

Compliance officers can implement this element in several ways, including by

• Conducting rounds or in-person education sessions with the employees to allow them to ask compliance-related questions 
• Ensuring that employees know how to contact Compliance and how to find the compliance hotline number 
• Checking in with compliance champions to see what’s happening in departments and clinics throughout the organization. 

5. Conducting internal monitoring and auditing 

In addition to monitoring and auditing, this element extends to patient privacy. For example, it means that when patients sit in the lobby or walk to an exam room, they can’t see or hear other individuals’ personal health information.
Among the compliance activities involved are making sure staff are educated on how to 

• Protect patient confidentiality
• Return overpayments to patients
• Follow a compliance workplan for monitoring and auditing
• Document and benchmark audit data

6. Enforcing standards through well-publicized disciplinary guidelines 

This element correlates to patient care primarily around privacy issues. It involves activities such as making sure patients are given sufficient time to read their admission paperwork and their rights under HIPAA. It also means enabling patients to ask questions about how to designate someone to receive their health information and share patients’ rights.

Again, this element requires compliance officers to provide staff education and training. It also involves reporting any compliance infractions to the board and the compliance committee, and in turn, ensuring disciplinary actions taken are consistent. 

7. Responding promptly to detected offenses and undertaking corrective action 

This is another area where compliance officers shape the front line of patient care. This element involves activities such as making sure patients

• Receive a timely response to written complaints from a clinic manager 
• Have billing problems handled promptly 
• Are asked for the correct copayment during their visit 
• Receive notification if their personal health information may have been compromised. 

In addition to conducting staff education and training in these areas, compliance officers are responsible for requesting corrective actions plans, as needed, and reporting disciplinary actions to the required regulatory body, if needed. 

Delivering a high-quality patient experience starts with building empathetic relationships with patients. Implementing the OIG’s seven elements can help compliance officers facilitate an organizational culture that prioritizes delivering quality patient care and showing patients empathy.  When a patient receives care at a clinic or calls with a complaint, showing that you care goes a long way toward providing a better patient experience.  

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC 

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG. 

---

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

---

Never miss an article from YouCompli. Denise writes a regular column about the intersection of healthcare compliance and quality patient care.

Free up time to focus on the OIG’s Seven Elements 

Keeping up with the regulatory changes issued by more than 500 regulators across the US is a full-time job. That’s why we do it for you. YouCompli scans 2,000+ regulatory sources daily to aggregate every update issued by federal, state, local and MAC regulators. Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use.

The post Patient-Focused Elements of an Effective Healthcare Compliance Program first appeared on YouCompli.

A sacred trust is at the heart of the relationship between patient and provider. Maintaining this trust can be tough for providers to navigate amid changing regulations and evolving technology.  

We explore how compliance officers can help their organizations’ providers maintain trusted relationships while ensuring requirements around patient privacy and protected health information (PHI) are met. 

Navigating HIPAA Privacy Rule complexities   

The U.S. Supreme Court’s Dobbs decision, which left abortion policies up to states, also raised data privacy issues for providers. Further, the decision could undermine the sanctity of the patient-provider relationship.  

Currently, federal laws that protect the physician-patient relationship include the Emergency Medical Treatment and Labor Act (EMTALA) and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The U.S. Department of Health & Human Services has emphasized the breadth of the HIPAA Privacy Rule and the importance of patients being confident their PHI will be kept private. 

Dr. Koyama, a physician in the metropolitan Phoenix area, explained why preserving the physician-patient relationship is critical. 

“As an abortion provider and emergency medicine physician, I have the privilege to learn about how the patient in front of me made it to my exam room,” Koyama said. “That story of their journey is the only way I can provide the best possible care to help evaluate, manage, or treat the reason for their visit. I need patients to feel comfortable and to give me as full and honest of their story as possible, so that I can provide the most effective and safe medical care.”  

Koyama added that laws aiming to restrict or limit the sacred relationship between patient and physician could be “dangerous” for patients. 

Safeguarding sensitive health data  

From a compliance perspective, there are several ways to help the trusted patient-provider relationship remain intact. For organizations with offices in multiple states, a best practice for compliance officers is to follow the state or jurisdiction with the most stringent privacy laws or requirements. Then, adopt policies and procedures aligned with the most stringent patient PHI requirements.  

It requires vigilance to balance the requirement to disclose PHI with the trust of the patient-provider relationship. Compliance officers should stay abreast of changes in federal and state regulatory changes to assist staff in understanding patients’ rights.  

Evolving healthcare technology 

Another area requiring compliance officers’ vigilance is evolving healthcare technology. A recent class-action lawsuit involving Meta’s Pixel tracking tool is calling attention to possible gaps in patient-privacy protections. 

It illustrates the concerns patients have expressed about safeguarding PHI in today’s digital society. And it demonstrates the potential fallout if providers don’t get it right.  

Implementing HIPAA Safeguards 

Compliance officers can help prevent their organization from releasing patient data that could trigger a HIPAA violation. Their role involves ensuring that staff are up to date on the three areas of HIPAA safeguards: administrative, physical, and technical.  

Below is a brief overview of each area:  

1. Administrative safeguards focus on the organization’s HIPAA policies, procedures, and training.
2. Physical safeguards include access to office space and computers, and cover details such as ensuring that PHI is not disposed of in the trash or left unattended on a desk. 
3. Technical safeguards cover hardware, software, and technology, and include guidance around not sharing passwords or leaving devices unattended. 

To maintain a trusted relationship with providers, patients need every confidence their provider values their privacy. And providers must thoroughly understand the permitted uses and disclosures of PHI. Compliance officers are central to both efforts.  

By staying up to date on changing federal and state privacy requirements, compliance officers are helping their organizations better understand patients’ privacy rights and, in turn, maintaining patients’ trust. 

Never miss an article from Denise Atwood. She covers protecting patients for the YouCompli blog.

---

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

---

Denise Atwood, RN, JD, CPHRM 
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC 
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.  

How is your healthcare organization keeping up with changes in regulations? Read more about our regulatory monitoring process.

The post Maintaining the sacred trust of the patient-provider relationship  first appeared on YouCompli.

Telehealth use has soared, reaching nearly 53 million visits in 2020. With it, compliance officers have guided their healthcare organizations in complying with changing documentation, coding, and confidentiality requirements. 

As virtual care requirements for telehealth evolve, we explore how compliance officers can support patient care and help their organizations stay up to date. This is particularly important as the waivers that enabled this rise in telehealth may end as soon as the end of 2022. 

Consolidated Appropriations Act 

“While the delivery of most healthcare services has – for the most part – returned to pre-pandemic processes, telehealth remains a prominent method of delivery of healthcare services for certain types of visits and providers, such as behavioral health,” said Isabella Porter, director of Compliance at District Medical Group, Inc. “Not surprisingly, both government and health plan audits have identified what Compliance professionals warmly refer to as ‘opportunities’ with respect to how telehealth services are documented, coded, and reimbursed by healthcare providers.”  

A measure in the Consolidated Appropriations Act signed into law in March, extended Medicare telehealth reimbursement for 151 days following the end of COVID-19. This is an opportunity for organizations that have embraced virtual care to continue offering telehealth visits to their patients.  

The extension provides continued flexibility, convenience, and access to care for medical care and services. It’s also a continuation of mental health services and an expansion of psychologist audio-only services. 

Interstate telemedicine 

Currently, 13 states waive in-state licensure requirements for telehealth, and 19 states have long-term or permanent interstate telemedicine. To stay current on interstate telemedicine licensing requirements, compliance officers should set monthly or quarterly monitoring reminders to ensure they are up to date. YouCompli subscribers receive notifications about regulation changes at the state, federal and local level instead of monitoring manually.  

Patients who live in rural areas or medically underserved areas benefit the most from physicians being able practice in more than one state. Multi-state licensing, especially when delivered via telehealth, allows these patients to have access to medical and behavioral health care. Moreover, multi-state licensure and care via telehealth allow providers to give needed care to patients regardless of where they are located.  

The future of telehealth  

American Medical Association research found that physicians overwhelmingly embraced telehealth during the pandemic, and more than 70% of physicians are motivated to increase telehealth use. 

If the Centers for Medicare and Medicaid Services (CMS) continues to expand coverage for telehealth services and provides reimbursement for virtual care, telehealth will continue. However, if CMS no longer reimburses for telehealth services, organizations will likely discontinue or greatly decrease virtual care.  

To prepare for potential changes, compliance officers should stay abreast of new bills and legislation to further expand coverage for Medicare telehealth services. Legislation to watch includes the Telehealth Extension Act of 2021 (H.R. 6202) and the Telehealth Extension and Evaluation Act (S. 3593). Also, compliance officers should help prepare organization leadership for potential discontinuation of some Medicare telehealth coverage and reimbursement.  

In addition, compliance officers should work with billing and coding staff to ensure they adhere to regulatory changes that terminate certain telehealth services. Compliance officers also can partner with clinical leaders to educate patients. Patients will appreciate advance notice of any discontinuation of telehealth services.  

“It behooves healthcare organizations to include Compliance with the monitoring and auditing of telehealth services. The Compliance team can also help ensure that the workflows that support delivery of these services are compliant with additional applicable regulatory requirements. This includes HIPAA Privacy and Security,” Porter said. 

You can support your organizations’ efforts to implement telehealth long term by staying abreast of the telehealth regulatory requirements and anticipating potential barriers to care. Also, compliance officers can assist their organizations in obtaining patient feedback regarding telehealth services and monitoring patient compliance with telehealth visits. Demonstrated patient satisfaction with telehealth services and low patient appointment cancellations rates may encourage organizations’ leaders to continue telehealth long term.  

Related: Telehealth policies and programs center on patient care

Denise Atwood, RN, JD, CPHRM 
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC 
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.  

How is your healthcare organization keeping up with telehealth regulation changes? Read more about our regulatory monitoring process or schedule a demo. 

---

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

---

Never miss an article about managing regulatory change to improve patient care. Sign up for emails from YouCompli.

The post Telehealth evolution: Supporting patients with virtual care first appeared on YouCompli.