As of right now, covered entities under HIPAA must comply with Executive Order 14076, officially titled Protecting Access to Reproductive Healthcare Services (the “Rule”), by December 23 – less than two weeks from now. However, as a consequence of the 2024 presidential election results, there are questions regarding the enforcement of this regulation. Here’s what you need to consider. 

The Rule was signed on July 8, 2022, by President Joe Biden. It is one of many actions taken by the Department of Health and Human Services (HHS) to protect access to and privacy of reproductive health care after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. The Dobbs decision has led to extreme state abortion bans and other restrictions on reproductive freedom in 21 states. 

The Rule directs HHS, the Federal Trade Commission (FTC), and the Department of Justice (DOJ) to take and consider steps in their respective fields to protect reproductive healthcare services and access to them by: 

• Safeguarding access to reproductive health care services, including abortion and contraception; 
• Protecting the privacy of patients and their access to accurate information; 
• Promoting the safety and security of patients, providers, and clinics; and 
• Coordinating the implementation of Federal efforts to protect reproductive rights and access to health care. 

The Rule establishes a ban on the use or disclosure of PHI by a HIPAA-covered entity (i.e., healthcare provider, health plan, healthcare clearinghouse) or their business associates (BAs) for any of the following: 

• Criminal, civil, or administrative investigations into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare. 
• Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare. 
• Identifying any person for any purpose described above. 

A covered entity or BA must obtain a written attestation that the information is not for a prohibited purpose before PHI potentially related to reproductive healthcare can be used or disclosed in the following circumstances: 

• Health oversight activities. 
• Judicial and administrative proceedings. 
• Law enforcement purposes. 
• Disclosures to coroners and medical examiners to identify a deceased person, determine cause of death, or other duties as authorized by law. 

A valid attestation must contain the following: 

• A description of the information requested, including the name of any individual(s) whose PHI is sought – or, if that’s not practicable, a description of the class of individuals whose PHI is sought.   
• The name of the person who has been asked to make the PHI use or disclosure and the name of the person to whom it should be made.  
• A statement that obtaining, using, or disclosing individually identifiably health information in violation of HIPAA may be subject to criminal penalties. 

The attestation must be in plain language, signed by the requester, and must clearly state that the PHI is not for “criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive healthcare.”¹ Additionally, the Rule requires changes to the HIPAA notice of privacy practices (NPP) to reflect the heightened protections for reproductive health information. 

With Donald J. Trump set to return to the White House in January, the healthcare industry should expect to see changes in the enforcement of the Rule. It is likely that the Trump administration will not support the changes that enhance the privacy of reproductive health information. It is also reasonable to expect the new administration to downplay any compliance obligations stemming from the Rule, and perhaps even a total lack of enforcement efforts.  

While the exact actions and impact on the Rule remain uncertain, it is possible that the Trump administration could take administrative action to rescind the Rule entirely. The administration also could rework existing HIPAA protections so states have greater flexibility to require disclosure of reproductive health care information. Obviously, these circumstances will create further ambiguity for patients and the healthcare industry as a whole. It is recommended that healthcare compliance and privacy professionals continue to take steps to achieve compliance with the requirements of the Rule, while keeping in mind that significant changes may be on the horizon.   

Susan is a healthcare compliance leader with over four decades working in a variety of administrative and managerial capacities, including strategic planning, regulatory oversight, revenue cycle risk mitigation, denial and appeal management, privacy and information security, healthcare advocacy, clinical department leadership, provider practice administration, risk management, and quality outcomes.  Currently, Susan provides compliance and privacy consulting services to a variety of healthcare organizations, including program implementation, policy and procedure development, compliance and privacy training, and regulatory oversight administration.  

Susan is a Certified Internal Auditor (CIA), Certified Healthcare Compliance (CHC), Certified Professional Coder (CPC) and holds a Certification in Risk Management (CRMA).  

Download our Latest White Paper

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management  

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.   

Sign up for our Weekly Newsletter

The post The HIPAA Reproductive Health Rule: A Potential Plot Twist  first appeared on YouCompli.

In the complex world of healthcare, compliance with federal, state and international regulations is not just a moral and ethical responsibility—it’s a financial one.  The cost of non-compliance in healthcare can be staggering, with fines, penalties, legal fees, and reputation damage all posing significant risks to healthcare providers. This blog delves into the real cost of non-compliance, highlighting notable examples of fines and penalties while underscoring the importance of robust compliance programs.  

Financial Repercussions  

A myriad of regulations exists in healthcare, including those related to patient privacy (HIPAA), billing practices (Medicare and Medicaid), and data security. Non-compliance can lead to audits, investigations, settlement agreements, and ultimately hefty fines – and those are just some of the tangible costs we can quantify. The cost of non-compliance is sometimes a forgotten topic when finalizing the organization’s budget.  

• HIPAA Violations: One of the most publicized areas of healthcare compliance is the protection of patient information under the Health Insurance Portability and Accountability Act (HIPAA).  Violations can result from inadequate training, employee negligence, and ever-pervasive cybersecurity issues. The gravity of cybersecurity cannot be overstated, as the issues pose significant risks to patient safety, privacy, and integrity of the healthcare system. Breaches can lead to fines and legal challenges, not to mention the erosion of patient trust.  

In the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for CY2022, the Department of Health and Human Services (HHS) reported a significant increase in HIPAA complaints (17% increase from 2018 to 2022) and large breaches (107% increase from 2018 to 2022). The HHS Office of Civil Rights (OCR) completed 846 compliance reviews and required the entities to take corrective action and/or pay civil monetary penalties that totaled $2,425,640 in 674 of the investigations. Covered entities and business associates are not always prepared for compliance reviews that are brought to the OCR’s attention. The cost of an imposed resolution agreement may result in compliance program improvements but can be operationally disruptive.  

• Medicare and Medicaid Fraud: Billing fraud is another area where non-compliance costs can skyrocket. In 2020, Novartis Pharmaceuticals Corp. agreed to pay $678 million to settle a lawsuit that accused the company of paying kickbacks to doctors to induce them to prescribe its drugs. This suit was brought under the Anti-Kickback Statute, a criminal law originally enacted in 1972 and amended and expanded several times since its inception.   

Several organizations have also been issued Corporate Integrity Agreements (CIA) for violations of this statute. Benchmarking your compliance program to the CIA is an excellent exercise and can be used as a means for identifying risks and making program enhancements.  

One of the Seven Elements of Effective Compliance Programs is auditing and monitoring. Auditing contracts for high-risk areas such as items related to the Stark Act and Anti-Kickback Statute can assist with preventing improprieties. A compliance workplan should include the continuous review of physician and/or medical director contracts based on risk, adherence of policies to the contracts, a review of financial payment to the contracts, and all associated documentation to support payment.    

• Quality of Care Violations: Non-compliance related to the quality of care can also lead to significant penalties. For instance, in 2019, a skilled nursing facility chain was fined $3.5 million for not meeting certain federal standards of care, which directly impacted patient health outcomes. The adage, “If it wasn’t documented, it wasn’t done,” not only can lead to financial consequences for billing but truly impacts the care of the patient.     

In February 2024, a settlement agreement of $25.5 million was reached with Lincare for fraudulent billing practices that also impacted the quality of services to patients. Essentially, monthly claims for payment of respiratory equipment were submitted to the federal health care program that were not medically necessary or the beneficiary had stopped using the device.    

Beyond the Fines  

What are the intangible costs of non-compliance? Here are some of them:  

• Reputation Damage: Publicized violations can erode patient trust, potentially leading to a loss of business. Restoring a tarnished reputation can take years – if not decades – and significant investment.  Violating an individual’s right to privacy can impact a community’s trust and confidence in the organization and its leadership. Reputational damage may also negatively impact:  
  • Employee morale  
  • Recruitment of specialty physicians and quality leadership  
  • Philanthropic giving  
• Operational Disruption: Addressing compliance issues can divert resources from patient care and other operational priorities, impacting the organization’s overall performance. Responding to an initial inquiry or reported incident on a compliance matter can consume countless hours investigating; however, ignoring a matter may result in whistleblower action, retroactive audits, data analysis, and/or legal and compliance review that will deplete more resources quickly over a greater length of time. It is best to prevent, detect, and deter.  
• Increased Scrutiny: Once an organization faces penalties for non-compliance, it may come under increased scrutiny from other agencies and regulators, leading to more audits and inspections.  The social media trajectory has created a new level of exposure for all organizations.  
• Insurance Costs: Non-compliance can lead to higher insurance premiums, as insurers assess the organization as a higher risk. This is particularly the case since the advent of cybersecurity breaches of patient information.  

Building a Culture of Compliance  

Key strategies for building and maintaining a robust compliance program include:  

• Ongoing Training: Ensure that all employees understand the relevant regulations and their roles in maintaining compliance. Most important is to emphasize the duty to report a concern or issue. One of the purposes of reporting is to prevent, detect, and deter to give the organization an opportunity to correct an impropriety before the problem becomes systemic and repeated.    
• Targeted training is important for patient registration to obtain accurate data and information from the first point of entry.  
• Specialized training should be given around health information management, regarding documentation requirements and orders that support the service to be delivered.  
• Educate revenue cycle staff to understand payor reimbursement, fee schedules, national coverage decisions, local coverage decisions, denials, and the “why” behind the denial and the circle of services provided to right reimbursement.  
• Train for utilization review and quality to understand the intersection of compliance and quality providing examples from settlement agreements and more.  
• Risk Assessments: Conduct regular assessments to identify and mitigate risks of non-compliance. This establishes a framework for improvement.    
• Policies and Procedures: Develop clear, accessible policies and procedures that align with all applicable state and federal regulations. Then, monitor adherence to the policies to reduce risk to the organization. 
• Compliance Officer: Your organization’s Compliance Officer should be a part of senior management. This sends a clear message throughout the organization, lends credibility to the compliance program itself (internally and externally) and makes it more likely that employees will take compliance seriously.   
• Reporting Mechanisms: Implement confidential reporting mechanisms for employees to report potential compliance issues. The emphasis here is not just one mechanism, but several.  Transparency and the ability to voice concerns without retribution are crucial to the success of establishing a healthy culture.  

The cost of non-compliance in healthcare extends far beyond fines and penalties. It encompasses legal fees, reputational damage, operational disruptions, and more. Investing in compliance is not just a legal obligation—it is a critical component of a healthcare organization’s operational excellence and commitment to patient care.  

Shawn DeGroot CHC-F, CCEP, CHRC, CCPC is president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment.  She served on the faculty of the HCCA Privacy Academy and served five years on Board of Directors for St. Charles Health System, Bend, OR.  Shawn’s area of expertise is also Corporate Integrity Agreements to include experience in seven CIA’s with the first CIA pertaining to Stark and Anti-kickback.  She also is a past president of HCCA/SCCE and serves on an advisory group to the HCCA/SCCE Board of Directors. 

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts 

Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.

The post The Cost of Non-Compliance  first appeared on YouCompli.

The updated General Compliance Program Guidance (GCPG) from the Office of the Inspector General (OIG) is an extremely helpful reference with an easy-to-understand user’s guide. As Shawn DeGroot noted in her recent look at top takeaways from the document, “The GCPG should be used to establish a compliance program, clarify roles and responsibilities, identify risks, and align current policies and procedures with what should be done.” 
 
Compliance officers can make the most of the new GCPG to meet the requirements of the OIG’s seven elements in a relevant and meaningful way. Below are recommendations – with tips for each of the seven elements – on how the new GCPG can help you develop and maintain your organization’s compliance program.  

Element 1 (page 33): Written Policies and Procedure 

• An organization’s Code of Conduct, which reflects its mission, vision and goals, should be revised regularly. Each employee and board member should read and acknowledge the Code of Conduct, reflecting their attestation to act ethically and comply with federal and state laws and regulations. 
• Policies around billing, coding, marketing, quality of care, and physician and vendor arrangements should be reviewed regularly. This means they should be revised if necessary, and a system should be created and maintained with outdated or retired policies.  

Element 2 (page 37): Compliance Leadership and Oversight 

• Organizations should designate a compliance officer who reports to the Board of Directors and/or the CEO directly. This person should have the authority and resources necessary to implement an effective compliance program.  
• All organizations’ compliance committees should support the compliance officer in carrying out the compliance program objectives. The committee should meet no less than quarterly.  
• The Board of Directors should oversee compliance, as they have a fiduciary duty to understand compliance operations and organizational risks.  

Element 3 (page 46): Training and Education  

• Make clear the identity and role(s) of the compliance officer and the compliance committee. 
• Be sure to highlight ways that individuals can raise compliance concerns or questions. Support an environment of nonretaliation. 
• Organizations should have a system to monitor training and education completion by every employee, contractor, student, and volunteer. 

Element 4 (page 50): Effective Lines of Communication  

• Organizations should allow confidential or anonymous reporting of concerns. This could be done through a hotline number, a website, an email, or mail.  
• Organizations then should develop and maintain a disclosure log and reported concerns.  

Element 5 (page 53): Enforcing Standards – Consequences and Incentives 

• Ensure that consequences for noncompliance are well-known throughout the organization. To deter noncompliance, these consequences should be consistently applied and enforced.   
• Develop incentives, such as staff recognition, to promote and encourage participation in the organization’s compliance program.  

Element 6 (page 55): Risk Assessment, Auditing, and Monitoring 

• Utilize risk-assessment tools to identify, analyze, and appropriately respond to organizational risks.   
• Develop and implement an auditing and monitoring plan and calendar for due dates. These audits can be conducted by internal or external auditors.  

Element 7 (page 59): Responding to Detected Offenses and Developing Corrective Action Initiatives 

• Investigate alleged violations. Summarize the investigative process and investigation findings, and report it all to the compliance committee, CEO, and Board.  
• Report misconduct or noncompliance to the appropriate governmental agency, as required. For example, in accordance with HIPAA breach notification requirements.  

As healthcare delivery systems become more complex, compliance professionals need to develop and implement compliance programs that are robust enough to provide a good foundation yet flexible enough to allow for change. Mapping the OIG’s new GCPG document to the seven elements can help compliance officers start the new year from a place of strength. 

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal, and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix and Vice President of the company’s self-insurance captive.  

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.

Get the latest from healthcare compliance experts  

Never miss an article by Denise Atwood. Sign up for YouCompli’s weekly email if you have not already.

The post How the OIG’s New General Compliance Program Guidance (GCPG) Addresses the Seven Elements   first appeared on YouCompli.

Last month, the Office of Inspector General (OIG) published a new, user-friendly, 91-page General Compliance Program Guidance (GCPG). It is meant to be a helpful reference for everyone in the health care industry about how to develop a compliance program, safeguard their organizations and ensure they operate according to all laws and regulations. Users are encouraged to use the electronic version, to allow access to hyperlinked definitions and resource documents.  

Previous versions are archived on the OIG website and will no longer be published in the Federal Register. Also, industry segment specific guidance (ICPGs) will be developed for sectors of federal health care programs.  

Throughout the GCPG, helpful revisions and clarity are provided to a few areas that have proven problematic over the years. Here are a few areas I think are especially noteworthy:  

• Arrangements (page 10): The GCPG provides a brief overview of pertinent laws and a list of “key questions” to assist with the determination of whether an arrangement violates the federal anti-kickback statute. 
• Exclusions (page 26): OIG recommends that any entity participating in the federal Medicaid program should check the state Medicaid program exclusion list for each applicable state. Each state has strengths, weaknesses, and a high degree of variation with the knowledge and access of exclusion databases, creating a cumbersome process to validate Medicaid exclusionary status.  
• HIPAA Privacy and Security Rules (page 30): In bold print, the OIG recommends that compliance with Privacy, Security and Breach Notification Rule requirements be included in ALL risk assessments. 
• Relevant Individual (page 36): The OIG wisely introduces this new term and includes employees, contractors, patients, customers, agency staff, medical staff, subcontractors, agents, and other key individuals as relevant. These people should at least receive new and/or revised policies and procedures before they are implemented. 
• Compliance Officer (page 38): The OIG clarifies that compliance officers “have sufficient stature within the entity to interact as an equal of other senior leaders of the entity.” The OIG does not provide a sample organizational chart or team structure, but it does position compliance officers as essential to the development and implementation of strategic initiatives. The OIG also writes: 

“The Compliance Officer’s primary responsibilities should include advising the CEO, board, and other senior leaders on compliance risks facing the entity, compliance risks related to strategic and operational decisions of the entity, and the operation of the entity’s compliance program.” 

• Relationship to Legal (page 39): The OIG attempts to settle a long-standing debate regarding the roles of compliance and legal. In organizations where compliance reports to legal, conflicts of interest exist and can create barriers that lead to timing and resource inefficiencies. Effective communication and collaboration between compliance and legal is the key to a successful outcome. The OIG writes:    

“The compliance officer should not lead or report to the entity’s legal or financial function, and should not provide the entity with legal or financial advice or supervise anyone who does.” 

• Compliance Committee (page 40): The OIG provides a detailed list of the Compliance Committee’s primary duties. This includes guidance on the members, roles direct responsibility for active participation. For the first time, the OIG suggests that an individual’s participation should be included in considerations about their overall performance and compensation. The OIG also provides a list of indicators for committee success – including that boards should oversee the Compliance Committee and receive regular reports on attendance by members.  
• Board Responsibilities (page 43): the OIG reiterates the need for the compliance officer to be sufficiently empowered commensurate with their responsibilities and in line with other senior leaders. A quote highlighted on page 44 states, “the board should also ensure that the compliance officer has direct and uninhibited access to the board at any time.” While this could create awkward situations for compliance officers and CEOs or other senior managers, this approach has become a best practice because it is effective and promotes transparency. 
• Training (page 46): The OIG recommends that compliance committees ensure training is available in several languages and in various formats. The training plan should be reviewed at least annually by the compliance committee to ensure the content is current and contains information on issues identified through auditing and monitoring. The OIG also suggests that organizations’ audiences can ask questions.  
• Effective Lines of Communication (page 50): The GCPG clarifies that compliance officers are responsible for reported concerns – but that issues may be referred to human resources, legal, or other departments. The OIG writes: “The compliance officer should remain involved in all health care compliance investigations in which counsel takes the lead.” This clarity is especially important for investigations. 

• Large and Small Entities (page 65): There is a specific section in the GCPG on adaptations for small and large entities.  

In small entities: 

• The compliance contact should not have any responsibility for the performance or supervision of legal. If possible, they should not be involved with billing, coding, or submission of claims. 
• In the absence of a hotline or formal disclosure, small entities should have policies and procedures to establish good-faith reporting of compliance issues and prohibit retaliation. 
• Regarding exclusions, an individual or entity or an employee with an invalid license can have a significant negative impact on a small entity. Monitoring compliance in this area should be performed to reduce risk for small entities. 

In large entities:   

• The OIG repeats the need for compliance officers to report directly to the board to send a message and establish the proper tone for all relevant individuals.  
• For the first time, the OIG says that exceptionally large organizations controlled by an international parent organization need to have sufficient information about applicable law. 

• Quality and Safety (page 76): In the last section of the GCPG, the OIG suggests that entities should incorporate quality and patient safety oversight into their compliance programs. Risks exist associated with financial incentives and discrimination against more costly patients. It says that compliance officers should include these areas in risk assessments. A new term introduced is “new entrants,” on page 78. The term references technology companies, new investors, and non-traditional service providers in health care settings that may not be aware of the health care industry regulations. To identify and prevent fraud and abuse risks in a complex health care environment, compliance officers should simply follow the money.   

As the compliance industry evolves, the OIG is right on track again. The new GCPG provides more useful tools that address multiple aspects of an effective compliance program. The GCPG should be used to establish a compliance program, clarify roles and responsibilities, identify risks, and align current policies and procedures with what should be done.   

Shawn DeGroot CHC-F, CCEP, CHRC, CCPC serves on the advisory board for YouCompli. She is also president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment. Previously she served as president of the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE).

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts 

Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.

The post Key Takeaways from OIG’s New General Compliance Program Guidance (GCPG)  first appeared on YouCompli.

It’s finally here. The long-awaited, new OIG General Compliance Program Guidance (GCPG) has been released, all 91 pages of it. If you have not viewed it yet, click here: https://oig.hhs.gov/compliance/general-compliance-program-guidance/ 

This release is the first major compliance guidance document the OIG has shared in many years. While it is not possible to cover all 91 pages of the guidance in this brief article, here are the key takeaways to note from my perspective.   

Healthcare Compliance Laws and Enforcement 

A significant early portion of the document focuses on key healthcare laws and authorities that compliance programs should be familiar with. These include the Federal Anti-Kickback Statute, the Physician Self-Referral Law, the False Claims Act, the Civil Monetary Penalty (CMP) Authorities, Exclusion Authority, Criminal Health Care Fraud Statute, and the HIPAA Privacy and Security Rules. Under the Civil Monetary Penalty Authorities, the OIG emphasized the Beneficiary Inducements CMP, Information Blocking, and CMP authority as it relates to HHS grants, contracts, and other agreements. 

The Seven Elements 

The largest section of the document makes direct recommendations about compliance program infrastructure. Experienced compliance professionals will find the messaging in this section to be like past guidance. However, some notable portions appear to have additional nuanced focus: 

• It makes a more direct plea to leadership such as the CEO and/or Board to include formal statements of support for a culture of compliance in the Code of Conduct. 
• There is a direct recommendation that policies and procedures be reviewed at least annually. 
• The compliance officer should either report directly to the CEO or the Board. If reporting to the CEO, it should be with direct and independent access to the Board. 
• There are more references to quality of care in multiple elements. These include policies; coordinating with the Quality Department; clinical decision making; having representation from the Quality Department on the compliance committee; and calling out the potential of reporting serious breaches in quality and adverse events to the government. 
• The Auditing and Monitoring element now specifically includes Risk Assessment. It discussed the importance of performing a risk assessment and provides links to helpful resources when doing so. 
• The OIG calls out the importance of auditing for medical necessity. 

Adaptations 

As has always been the case, the OIG is careful to point out that this guidance should not be considered a model compliance program. To further this message, there is an entire section titled “Compliance Program Adaptations for Small and Large Entities.” It is important to recognize that no two compliance programs are going to be the same. Successful compliance programs are adapted to fit the organization and maximize compliance for individual organizations with unique risk profiles. 

There is obviously much more to the GCPG that has not been discussed here. This new document is sure to become a staple for any compliance professional in the healthcare industry. 

CJ Wolf, MD, M.Ed. is a healthcare compliance professional with over 22 years of experience in healthcare economics, revenue cycle, coding, billing, and healthcare compliance. He has worked for Intermountain Healthcare, the University of Texas MD Anderson Cancer Center, the University of Texas System, an international medical device company and a healthcare compliance software start up. Currently, Dr. Wolf teaches and provides private healthcare compliance and coding consulting services as well as training.  

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts  

Never miss an article by CJ Wolf. Sign up for YouCompli’s weekly email if you haven’t already.   

The post Key Takeaways from OIG’s Newly Released General Compliance Program Guidance  first appeared on YouCompli.

“As previous OIG compliance guidance(s) are retired to ‘archival’ status, we all should recognize that the original guidance may have been the most important document ever written for healthcare compliance professionals.” — Roy Snell 

In 1998, the Office of Inspector General (OIG) issued its first General Compliance Program Guidance (GCPG). Since then, compliance officers have used it to understand how to develop a compliance program, safeguard their organizations, and ensure they operate according to all laws and regulations. 

This month, OIG published a new, user-friendly, 91-page GCPG. Like the original, it is nonbinding and voluntary – it’s meant to be a helpful reference for all individuals and entities involved in the healthcare industry. Users are encouraged to use the electronic version, to allow access to hyperlinked definitions and resource documents. Previous versions have been archived on the OIG website, and will no longer be published in the Federal Register. Also, industry segment specific guidances (ICPGs) will be developed relating to particular sectors of federal healthcare programs.  

Throughout the GCPG, helpful revisions and clarity are provided to a few areas that have proven problematic over the years. Here are a few areas I think are especially noteworthy:  

• Arrangements (page 10): The GCPG provides a brief overview of pertinent laws and a list of “key questions” to assist with the determination of whether or not an arrangement violates the federal anti-kickback statute. 
• Exclusions (page 26): OIG recommends that any entity participating in Medicaid should check the state Medicaid program exclusion list for each applicable state. Each state has strengths, weaknesses, and a high degree of variation with the knowledge and access of exclusion databases, creating a cumbersome process to validate Medicaid exclusionary status.  
• HIPAA Privacy and Security Rules (page 30): In bold print, the OIG recommends that compliance with Privacy, Security and Breach Notification Rule requirements be included in ALL risk assessments. 
• Relevant Individual (page 36): The OIG wisely introduces this new term and includes employees, contractors, patients, customers, agency staff, medical staff, subcontractors, agents, and other key individuals as relevant. These are people that should at least receive new and/or revised policies and procedures before they are implemented. 
• Compliance Officer (page 38): The OIG clarifies that compliance officers “have sufficient stature within the entity to interact as an equal of other senior leaders of the entity.” The OIG does not provide a sample organizational chart or team structure, but it does position the compliance officers as essential to the development and implementation of strategic initiatives. The OIG also writes: 

“The Compliance Officer’s primary responsibilities should include advising the CEO, Board, and other senior leaders on compliance risks facing the entity, compliance risks related to strategic and operational decisions of the entity, and the operation of the entity’s compliance program.” 

• Relationship to Legal (page 39): The OIG attempts to settle a long-standing debate regarding the roles of compliance and legal. In organizations where compliance reports to legal, conflicts of interest exist and can create barriers that lead to timing and resource inefficiencies. Effective communication and collaboration between compliance and legal is the key to a successful outcome.  The OIG writes:    

“The compliance officer should not lead or report to the entity’s legal or financial function, and should not provide the entity with legal or financial advice or supervise anyone who does.” 

• Compliance Committee (page 40): The OIG provides a detailed list of the Compliance Committee’s primary duties. This includes guidance on members, roles, and direct responsibility for active participation. For the first time, the OIG suggests that an individual’s participation should be included in considerations about their overall performance and compensation. The OIG also provides a list of indicators for committee success – including that Boards should oversee the Compliance Committee and receive regular reports on attendance by members.  
• Board Responsibilities (page 43): The OIG reiterates the need for the compliance officer to be sufficiently empowered commensurate with their responsibilities and in line with other senior leaders. A quote highlighted on page 44 states, “The Board should also ensure that the compliance officer has direct and uninhibited access to the Board at any time.” While this could create awkward situations for compliance officers and CEOs or other senior managers, this approach has become a best practice because it’s effective and promotes transparency. 

• Training (page 46): The OIG recommends that compliance committees ensure training is available in several languages and in various formats. The training plan should be reviewed at least annually by the compliance committee to ensure the content is current and contains information on issues identified through auditing and monitoring. The OIG also suggests that organizations’ audiences have the ability to ask questions.   
• Effective Lines of Communication (page 50): The GCPG clarifies that compliance officers are responsible for reported concerns – but that issues may be referred to human resources, legal, or other departments. The OIG writes: “The compliance officer should remain involved in all healthcare compliance investigations in which counsel takes the lead.” This clarity is especially important for investigations. 
• Large and Small Entities (page 65): There’s a specific section in the GCPG on adaptations for small and large entities.  

In small entities: 

• The compliance contact should not have any responsibility for the performance or supervision of legal. If possible, they should not be involved with billing, coding, or submission of claims.   
• In absence of a hotline or formal disclosure, small entities should have policies and procedures to establish good-faith reporting of compliance issues and prohibit retaliation.   
• Regarding exclusions, an individual or entity or an employee with an invalid license can have a significant negative impact on a small entity. Monitoring compliance in this area should be performed to reduce risk for small entities. 

In large entities:   

• The OIG repeats the need for compliance officers to report directly to the Board, in order to send a message and establish the proper tone for all relevant individuals.  
• For the first time, the OIG says that very large organizations controlled by an international parent organization need to have sufficient information about applicable law. 

• Quality and Safety (page76): In the final section of the GCPG, the OIG suggests that entities should incorporate quality and patient safety oversight into their compliance programs. Risks exist associated with financial incentives and discriminating against more costly patients. It says that compliance officers should include these areas in risk assessments. A new term introduced on page 78, is “new entrants.” The term references technology companies, new investors, and non-traditional service providers in healthcare settings that may not be aware of the healthcare industry regulations. To identify and prevent fraud and abuse risks in a complex healthcare environment, compliance officers should simply follow the money.   

As the compliance industry evolves, the OIG appears to be right on track again. The new GCPG provides more useful tools that address multiple aspects of an effective compliance program. The GCPG should be used to establish a compliance program, clarify roles and responsibilities, identify risks, and align current policies and procedures with what should be done.  

Shawn DeGroot CHC-F, CCEP, CHRC, CCPC serves on the advisory board for YouCompli. She is also president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment. Previously she served as president of the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE).

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts 

Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.

The post Key Takeaways from OIG’s New General Compliance Program Guidance (GCPG)  first appeared on YouCompli.

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) recently issued a warning regarding online tracking technologies. Because they pose risks to patient privacy and security, it is important for compliance pros to understand them and, of course, comply with applicable federal laws. Compliance officers also should partner with their Information Technology (IT) and risk management departments to ensure their organizations protect patient privacy and minimize security risks.  

Tracking Technologies  

It is good to start by understanding Internet browser tracking. Whenever a person browses the Internet or performs an Internet search, every link clicked, and each website visited is recorded. Websites then place small amounts of this data, known as cookies, on users’ electronic devices to track their browsing activity. They do this to help people more quickly access and search for material they frequently are interested in, as well as to deliver ads they may find useful. However, some people have found ways to use this tracking technology to access those cookies and acquire/share the personal data – including health information – they contain.  

To protect patients’ privacy and adhere to federal law, compliance professionals must understand what online patient data is being tracked and used by their organization’s website, social media pages, and payment portals. 

GFC Global, a nonprofit program, provides free and easy-to-understand videos on digital tracking. GFC Global focuses on the potential for website hacking and the sale of patient information. You will notice their site asks about sharing your cookies before you can access it! Once acknowledged, you can access their videos. 

Heeding the Warning 

Within the healthcare space, the OCR enforces HIPAA Security and Breach Notification Rules (HIPAA Rules), and the FTC protects the public from deceptive business practices. In a joint letter the two agencies released earlier this year, they expressed concerns “about the use of online tracking technologies such as Google Analytics and Meta Pixel in violation of HIPAA.” OCR Director Melanie Fontes Rainer noted, “Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website.” The OCR is using its resources to address this concern.  

Similarly, Samuel Levine, director for the FTC’s Bureau of Consumer Protection, explained, “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue to do everything in our powers to protect consumers’ health information from potential misuse and exploitation.” With the OCR and FTC focusing on these issues, compliance professionals should as well so they can best support their organization and their patients. 

Protecting Patient Privacy 

Impermissible disclosure of a patient’s personal health information (PHI) violates the HIPAA Privacy Rule and can result in harm to the patient. A year ago, the OCR issued a bulletin to remind HIPAA-covered entities of their obligations under the HIPAA Rules.  

HIPAA Rules prohibit regulated entities from using tracking technologies that could result in impermissible disclosures of PHI, including electronic PHI or ePHI. When tracking technologies gather information about users without their knowledge, there is a risk that users’ health information can be misused, sold, or otherwise exploited.  

The bulletin provides specific examples of how the HIPAA Rules apply to regulated entities’ use of tracking technologies. It covers tracking on user-authenticated (where the user must log in) and unauthenticated websites, as well as tracking within mobile applications and adhering to HIPAA compliance obligations.  

The bulletin emphasizes that HIPAA-regulated entities and their business associates must follow the law. Compliance professionals must ensure that business associates that use tracking technologies complete a business associate agreement and comply with HIPAA Rules. A joint risk audit of your vendors involving compliance and IT would demonstrate such due diligence.  

Following OIG (Office of the Inspector General) Guidance 

To protect patient PHI and ePHI, the OIG recommends following guidance with regard to online tracking technologies: 

• User-authenticated websites, such as patient portals, must use and disclose ePHI in compliance with the HIPAA Privacy Rule (45 CFR part 160 and s45 CFR part 164, subparts A and E) and ensure compliance with the HIPAA Security Rule (45 CFR part 164, subparts A and C).  
• Unauthenticated websites – those that do not require logging in – are, in most cases, not regulated by the HIPAA Rules. However, the HIPAA Rules may apply in some instances. For example, if a patient accesses an online portal to schedule an appointment and the tracking technology collects the patient’s date of birth or email address, HIPAA Rules apply.  
• Mobile applications offered by a regulated entity to manage appointments or pay for services are considered ePHI and thus regulated by HIPAA Rules. Moreover, compliance professionals should confirm whether these applications collect information such as fingerprints, device IDs, or network locations, which are considered PHI and covered under the HIPAA Rules. 

Compliance professionals who work for regulated entities are required to follow HIPAA Rules to protect patient PHI and ePHI when tracking technologies are used or offered by their healthcare organization. It is prudent for compliance officers to collaborate with their IT and risk management departments. Working together, they can ensure that their organization is aware of which websites and applications use tracking technology and determine the best way to mitigate patient privacy and security risks. 

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal, and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix and Vice President of the company’s self-insurance captive.  

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts  

Never miss an article by Denise Atwood. Sign up for YouCompli’s weekly email if you have not already.   

The post Mitigating Risks from Online Tracking Technologies  first appeared on YouCompli.

In the business of healthcare, promoting a culture of compliance is not merely a goal – it’s a necessity. Ethical integrity and adhering to regulatory requirements are critical to any organization’s success. That said, implementing compliance policies or appointing an individual to be the compliance officer is not enough. There has to be a commitment throughout all levels of an organization to do the right thing and do things right. To pull that off, the organization needs to have a culture of compliance that is contagious.  

I recently stumbled across a book by Jonah Berger, Ph.D., entitled “Contagious: How to Build Word of Mouth in the Digital Age.” Dr. Berger’s book explores the science behind why certain ideas, products, or messages go viral while others do not. According to Dr. Berger, there are six key psychological drivers for word-of-mouth communication among humans: 

1. Social Currency 
2. Triggers  
3. Emotion
4. Public 
5. Practical Value  
6. Stories  

As compliance officers, we play a significant factor in influencing others and shaping our organizations’ culture of compliance. Why not employ some of these drivers to help make our compliance cultures worthy of word-of-mouth around our organizations?  

Here are some ideas to get you started.  

Social Currency 

This concept relates to the things we talk about that make us look good to others or enhance our social status. Dr. Berger’s theory is that when something makes people feel knowledgeable or “in the know,” they are more likely to share it. For example, think about a time when you went to a new restaurant that you loved. You likely told others about your experience, right? That’s social currency. 

So how can we create social currency in the context of a compliance culture? Here are some suggestions: 

• Find a business and compliance-friendly solution for a proposed new business venture that one of your healthcare leaders is trying to advance.  
• Identify lost revenue for a department director while conducting a billing and coding audit.  
• Incorporate feedback and input from your department or organizational leaders in a compliance-related decision (e.g., finalizing a new process or policy).  

These are just a few examples where the effort you put into your work will result in your healthcare leaders looking good—which means they will tell others about what you did for them. 

Triggers  

Triggers are certain cues in the environment that can prompt people to talk about a product or idea. According to Dr. Berger, familiarity and everyday reminders play a significant role in keeping things top-of-mind. For example, if I were to say, “Peanut butter and…,” you’re most likely thinking of jelly even though I didn’t have to say it. That’s a trigger. 

So how can we create triggers? Here are some ideas: 

• Get out of your office and walk around your organization so others physically see you.  
• Conduct routine rounding (e.g., consistently visit with staff to see how they’re doing, what’s working well, and what’s not working well). 
• Make sure compliance hotline posters are not only displayed throughout the organization, but they have your name and headshot on them so others identify you as the person to contact. 

These are just a few examples of how you can establish triggers that keep compliance on the minds of your colleagues. It also helps you establish rapport with others in the organization.  

Emotion 

According to Dr. Berger, stories with strong positive or negative emotional elements are more likely to be passed on because they create a deeper connection with the audience. 

For example, you’ve likely seen advertisements for pet adoption services. As a pet owner, they are tough for me to watch, but they do grab my attention. That’s emotion. 

Here are ways to use emotion in compliance: 

• Celebrate milestones and achievements (e.g., 100% completion rate for training, successful audit, acknowledging a process change that reduced non-compliance rates). 
• Using situational examples from a patient’s point-of-view when discussing potential non-compliance. 
• Outline the financial and reputational impact on a department or organization when discussing concerns of non-compliance (e.g., breach of patient health information leads to loss of patient trust). 

By doing these things, you can embed an emotional connection to your compliance message – and increase the chances that it resonates with your audience.  

Public 

Public refers to the behavior of others that people mimic, especially in public settings. If something is observable and easily seen, it’s more likely to be shared. For example, when my 9-year-old sees one of her friends at school with a cell phone, she comes home and makes an argument that we need to buy her a cell phone.  

Here’s how we can build this kind of behavior in others: 

• Emphasize to your organization’s leadership that Tone-at-the-Top and leading by example in their business decisions demonstrates to employees that a compliance culture is desired.   
• Recognize a leader or employee in a public forum (meeting or newsletter) when they have supported the compliance program (e.g., they reported a concern that needed to be corrected). 
• Send a thank-you note to an employee’s supervisor when the employee supported the compliance program (e.g., they reported a concern that needed to be corrected). 

These are just a few examples of taking a public approach to your work – and fostering word-of-mouth about your compliance program.  

Practical Value 

People share things that help others solve problems or improve their lives. For example, when I was a kid, there was a TV commercial for Super Glue. In this commercial, they would show a gentleman hanging from a steel beam because they had glued his hard-hat to it. Though I wasn’t working in construction, this image did seem useful if I ever found myself with such a need.  

So how can we create practical value in the context of a compliance culture? Here are some ideas: 

• When you are explaining complex compliance-related concepts, show others how the organization needs to comply rather than telling them. Find or create interesting or memorable visuals, and then use them. 
• As you are communicating your compliance message, emphasize how meeting the requirements benefits your audience. 
• Making sure that compliance resources are easily accessible (e.g., make it easy to find and use). 

Stories 

Dr. Berger states that stories make content more relatable, memorable, and shareable. For example, a few years ago, automobile manufacturer Subaru ran an ad campaign featuring owners of their cars and their stories of how they survived accidents. The ads reinforced the message that Subaru builds a safe car and used customers’ stories to convey that message.  

We also can use stories to generate word-of-mouth within our organizations. We can:  

• Show examples of when non-compliance affected patient care (in a way that doesn’t violate HIPAA, of course). 
• During a training, discuss how a similarly sized organization arrived at a recent settlement. 
• Profile employees who are courageous enough to talk about an important compliance matter (in a way that doesn’t reveal the identity of the employee).  

Creating a contagious compliance culture is a continuous journey. It requires dedication, consistent effort, and a genuine commitment to ethical values. When done well, and compliance becomes ingrained in the organization’s DNA, it has tremendous benefits including minimizing risk and enhancing the organization’s reputation.  

Jay is a compliance professional and consultant in Colorado. Jay is a healthcare lawyer with significant industry knowledge of the U.S. healthcare market. Over the past 20 years, he has worked for large for-profit and non-profit health systems and small physician-owned entities. In tackling the countless regulatory and operational issues for these diverse organization types, he has developed a deep understanding of the business of healthcare and the regulations governing the industry. In 2018, Jay became an adjunct faculty member with the University of Southern California, Gould School of Law, designing and teaching healthcare compliance courses.

Jay obtained his law degree from the University of South Dakota, where he focused on healthcare law. From 2012-2016, he served on the Board of a non-profit organization serving the medically underserved in Colorado (ClinicNET). He is also a member of the Health Care Compliance Association (HCCA), serving on the planning committee for the Mountain Regional Conference since 2008. He is writing a series of articles on compliance culture for the YouCompli blog. This post looks at building trust among your colleagues. This post looks at measuring your organization’s culture of compliance. 

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts  

Never miss an article from Jay Anstine. Sign up for YouCompli’s weekly blog email if you haven’t already.   

The post How to Make a Compliance Culture Contagious  first appeared on YouCompli.

As compliance officers, we are continually placed in a position to influence the actions of others. We conduct investigations, advise leadership, educate staff, and more, and it all plays a significant role in shaping our compliance culture.   

Unfortunately, we have challenges when it comes to others’ perception of our role in our organizations. Before we even have a chance to utter a single word, healthcare leaders often see us as an obstacle – like a grown-up version of a high school hall monitor. 

That said, this perception can be overcome. We just need to work at it – which means focusing on how we communicate a compliance message of “do this” or “don’t do that.” If we want to improve our compliance culture, then we need to interact with our healthcare leaders in a way that sells compliance without “selling” compliance.  

So how do we do that? Here are five strategies that may help:  

1. Establish Rapport with Your Leaders  

As part of onboarding with any organization, I would research the organization and the market in which it operated. For example, if I worked for a health system I would research its history, including recent expansions of any service lines and mergers or partnerships with other organizations. Some of this work may have been done as part of applying for the job, but this will be a time to take a deeper dive and review documents you would otherwise not have access to as an outsider.  

Another Tactic: Take an Active Interest in Leaders  

If you are new to an organization, conduct a meet-and-greet meeting with your healthcare leaders to learn more about them. If you have been with an organization for some time, have discussions with leaders who are new to you. During these meetings, find out as much as you can about them professionally, such as: 

• How long they’ve worked in healthcare 
• How they got into this line of work 
• What their day, week, or month looks like 
• Their biggest accomplishment so far 
• Their biggest challenge so far 
• What they like to do in their spare time 

Keep in mind: your overall mindset should be one of curiosity. By diving into some of these questions, you will expand your knowledge and demonstrate an active interest in them.  

When you take time to understand your organization’s market and learn more about your leaders, you enable yourself to initiate or engage in dialogue about topics unrelated to compliance. Over time, all your effort will help you establish rapport with your leaders – which helps you in selling compliance to them. 

2. Do Your Homework  

When I say you should do your homework, I mean that you should focus on the leader(s) you’re working with and the operations-in-question to the issue you are addressing. Here are two tactics I typically factor into my homework on any issue I’m working on: 

Tactic One: Know Your Audience 

If you are communicating a message of “do this” or “don’t do this,” but the audience is not able to connect with it, they won’t understand what you’re saying. This is where the concept of relatable examples, tailored to the audience, comes into play.  

For example, if I were educating a group of physicians about HIPAA and safeguarding PHI, I might use an example of discussing a patient’s treatment plan in front of friends or family members. This is a situational example that occurs daily in the life of a practicing physician and has a HIPAA concept embedded in the scenario.  

Always approach a compliance message with consideration of the audience’s point-of-view. How would they view this particular topic? What questions would they have? If you are not sure of the answers to these questions, then ask the staff or their leaders for feedback and insight. 

Tactic Two: Understand the Operations Related to the Issue 

You want to think about matters from the perspective of the individuals who are having to live with the regulatory requirements – not the person enforcing them. The best way to do that is to roll up your sleeves and dig into the logistics of their operations.   

There are a couple of different approaches you can take. First, after studying their policies and procedures, you could learn about the department and their processes by interviewing the leader(s) and staff. Ask them detailed questions about how they perform the work and be careful that your questions come across as curious and not judgmental. It could help to have them explain what they are doing as if they were explaining it to someone without a healthcare background. Second, you could shadow their staff or have them lead you on a department walkthrough. In my experience, if you really want to understand the work, see and experience the work first-hand.   

By doing your homework, you send the message you are genuinely interested in the work others do and empathetic to the challenges they face. This will leave them feeling like you understand their point of view and are genuinely trying to find a solution that will work for them.  

3. Anticipate Questions, and Be Prepared with Answers  

It often helps to look at the matter from the leader’s perspective and not your own. If you were the leader of a particular department, what questions would you have about the regulatory requirements? Are there specific terms within the regulation that you would want to understand? What do certain words and phrases mean when applied to your operations? What challenges might you face in trying to meet these requirements? What organizational pressures are you currently facing (e.g., budgetary constraints, staffing, resources, meeting performance goals)? These and other questions help you think like your leaders. 

To develop answers to these questions, it helps to know how decisions are made in the organization. For example, let’s say there was an audit that identified a billing error which resulted in a six-figure repayment to Medicare. Before you tell your CEO what happened and outline the path forward for resolution, be mindful that they will want to make sure the CFO is aware. So, either invite the CFO to participate in the discussion or let the CEO know you have already vetted the matter with the CFO. 

4. Focus on How it Benefits Them – Not You 

This means keeping your message focused on how the work supports their department or the organization as a whole – not the compliance program.  

For example, let’s assume you are conducting an investigation into a breach allegation reported from a patient. You want to communicate the need to ensure the organization appropriately handles the investigation and response so that trust is restored with the patient. You also should share your concern that the organization could suffer financial or reputational harm if the patient chooses to report the matter to the Office for Civil Rights. 

Anytime you can keep the focus of your message on how it benefits your audience, it will significantly improve the chances they will relate to the message. Over time, this will improve your ability to sell compliance to your leaders. 

5. When You Bring a Problem, Bring a Solution 

Finally, if you want to improve your compliance culture, it helps to communicate an identified issue and your proposed solution together in one package.  

For example, let’s assume you have been made aware that the organization inadvertently billed Medicare for a particular procedure in error (e.g., the wrong procedure code was billed). When you alert the appropriate leader(s) of the news, you should explain what occurred along with how and why it happened. Then take your message a step further by explaining the solution (e.g., steps you are taking to resolve the matter).  

By taking this approach, you reduce their anxiety by communicating a clear path for mitigating risk and restoring the organization back to a state of certainty. Over time, this approach will help you in selling compliance to your leaders.  

With all these different strategies, there is a central theme: focusing on the perspective of your audience instead of your own. While it may seem counterintuitive (i.e., to get more engagement you have to focus on things other than the compliance program), following these strategies over time will help you sell compliance and improve your engagement. It also will result in a healthier compliance culture.  

Jay Anstine is a compliance professional and consultant in Colorado. He is a healthcare lawyer with significant industry knowledge of the U.S. healthcare market. Over the past 20 years, he has worked for large for-profit and non-profit health systems and small physician-owned entities. In tackling the countless regulatory and operational issues for these diverse organization types, he has developed a deep understanding of the business of healthcare and the regulations governing the industry. In 2018, Jay became an adjunct faculty member with the University of Southern California Gould School of Law, designing and teaching healthcare compliance courses. 

 Jay obtained his law degree from the University of South Dakota, where he focused on healthcare law. From 2012-2016, he served on the Board of a non-profit organization serving the medically underserved in Colorado (ClinicNET). He is also a member of the Health Care Compliance Association (HCCA), serving on the planning committee for the Mountain Regional Conference since 2008.  

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management  

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.  

---

27 Ungated Resources for Compliance Leaders and Teams 

Compliance professionals sometimes feel undervalued in comparison to other functions in their organization. They think leaders and colleagues don’t really understand what they do.  

These resources will help. Packed with ideas, tips and recommendations, these pieces were written by professionals with many years of compliance experience. 

You can quickly skim for articles that relate to your needs and interests. Bookmark this page as a reference for future questions or projects.

Visit Now

---

Download our Latest Whitepaper

Sign-up for our Weekly Newsletter

Schedule a quick overview

The post How to Sell Compliance without “Selling” Compliance   first appeared on YouCompli.