How can you protect personal health information (PHI), medical records, and patient communication when the provider is also the patient?
Continue readingCompliance expert Martie Ross explains critical regulatory change management issues facing healthcare in 2022
As a compliance officer, it’s time to go back through your compliance documentation over the past two years. How are you going to unwind from these changes
Continue readingFive tips to help providers comply with Stark
The Stark Law creates a whole set of antikickback rules that providers must understand and actively work to comply with. And with all its good intentions, the Stark Law is incredibly restrictive. In fact, even the U.S. Court of Appeals for the 4th Circuit noted that “even for the well-intentioned healthcare provider, the Stark law has become a booby trap rigged with strict liability and potentially ruinous exposure.”
The Centers for Medicare and Medicaid (CMS) and Congress have taken steps to clear up confusion and loosen the rules in some cases (See our article on exceptions for value-based care). Still, your Compliance team has a tremendous responsibility to make sure that policies match the rules and that providers understand and follow the policies.
Policies match the Stark rules
Changes to the Stark Law have been coming out practically since the law was enacted. The law, which aims to protect against kickbacks and self-referrals, has gotten complicated in the details. Congress issues amendments to help the law catch up to changing business practices. Healthcare organizations may have written policies that facilitated compliance originally. However, those may be completely out-of-date if they weren’t keeping up with the changes in the law.
For example, CMS has introduced modifications that addressed challenges with value-based care and resolve issues restricting coordinated care and health data exchange. Another modification to the law was allowing healthcare providers to accept cybersecurity tech donations from stakeholders.
While the compliance officer enforces the policies, he or she doesn’t have to live them the way those in operations do. Getting input from key stakeholders such as providers, Risk Management, and others in the C-suite can help ensure that final policies are clear. This early feedback and engagement can also help identify how the policy or regulatory changes will affect the individuals who must operate under them. Lastly, they can help identify potential operational conflicts with new policies or regulatory changes.
(See how YouCompli delivers model policies and procedures that help your organization comply.)
Providers following the Stark policies
With compliant policies in place, it’s time to help providers understand how to follow them. This is where communicating what certain key terms in a policy or regulation means in the context of the provider’s particular work becomes critically important.
Compliance officers know that “the road to success is going to run through quality of care,” says Harry Nelson, health care attorney at Nelson Hardiman. “Compliance isn’t the internal police that slows things down, but a strategic part of growth.” When it comes to making sure providers understand how to follow policies, the compliance officer has to look at the language of the policy from the providers’ perspective, not that of the compliance officer.
Here are five steps to help providers understand and follow Stark-compliant policies:
- Engage your operational leaders. Make sure the president and CEO understand the nature and intent behind Stark limitations so they can help explain and reinforce them. Give situational examples they can relate to so they understand what the key terminology means.
- Invest in training and communication. One email won’t do it with changes to Stark-related policies. Engage providers in small groups, in writing, and in person to explain nuances and answer questions about tricky scenarios. Whenever possible, use real-world scenarios to help illustrate how the regulations and policies impact them. Education and training should also be routine and ongoing with key stakeholders.
- Get feedback. Regularly check in to gather feedback from your leaders. Find out if the implemented tools and procedures are working for them, as well as to identify challenges they face. This step will help you see areas where the words on paper mean something the compliance officer had not thought of. Adapt procedures and tools if necessary.
- Encourage people to ask questions. Make sure providers and your operational leaders alike know they can use you as a sounding board for grey areas or possible violations. It’s much better if they proactively ask if a proposed arrangement is compliant. Otherwise, they may have to unwind a relationship if they find out it is not compliant.
- Promote awareness to prevent future mistakes. Once an error is made, chances are it will reoccur and lead to additional violations. As you are addressing errors, promote awareness to prevent future mistakes. For example, when you are communicating the fact that a mistake was made, go the extra step to what caused it. This will be an opportunity to find out where their confusion was and use that insight to update policies or training.
Stark compliance starts with knowing about changes to the regulations and continues with crafting policies that providers can understand and follow. Involving stakeholders in policy creation and training, and engaging tech systems to reinforce the lessons will support the long-term success of Stark-compliant policies.
Do you have the tools you need to recognize and manage regulatory change across your organization? Find out how YouCompli can help you manage and coordinate your response to regulatory change or schedule a demo.
Subscribe for blog updates
Communicating Compliance Terms in Plain English…
If you have ever been new to a particular field of the workforce, such as healthcare compliance, you know all too well that the language used by coworkers can sound foreign, like gibberish, or “alphabet soup.” As we continue to work in the field though, we too, start speaking the language. However, while that may be ok for conversing in the compliance department, it still be confusing if we are trying to communicate with, or to educate, other functional areas of the healthcare organization. Without knowing the terminology, the message we are trying to convey is unlikely to be understood when received.
Alphabet Soup
Take a look at an example of terminology just starting with the letter “A” from the Office of the Inspector General Work Plan (reference below):
- ADAP AIDS Drug Assistance Program (note this one includes an abbreviation in the definition);
- AI/AN American Indians and Alaska Natives (I, for one, was unfamiliar with this abbreviation);
- AIDS acquired immunodeficiency syndrome;
- ALF assisted living facility;
- ALJ administrative law judge;
- AMD age‐related macular degeneration (while I have heard of macular degeneration, I did not know this was a standard abbreviation);
- AMP average manufacturer price;
- ASC ambulatory surgical center;
- ASP average sales price; and
- AWP average wholesale price.
Say I am talking to another seasoned compliance professional in front of a new employee. Using the above “A” acronyms only, the conversation may sound something like this,
“Based on the billing audit, I see we are not receiving contracted AWP reimbursement under our AI/AN contract for ALF patients with AMD.”
As you can imagine, a new employee might be confused by the acronyms and terms communicated instead of using common business English. Sometimes just saying the entire word instead of the abbreviation is a good place to start, so instead of saying AWP say average wholesale price.
Repetitive Communication
In order to improve communication between seasoned compliance professionals and other members of the organization, it is important to use repetitive teaching strategies. In addition to saying the entire compliance term and the abbreviation, be repetitive and write out the compliance term in addition to the abbreviation in written communications. That way staff become more familiar with compliance terminology and it becomes a part of their daily vocabulary.
Knowledge in Practice
When it comes to any industry, including healthcare, it is easy to throw around acronyms and jargon that is familiar and efficient. However, it is important to be aware of who you are talking to, and therefore make sure they clearly understand whatever it is you are communicating. Translate and reword industry terminology in emails, policies and teaching materials where necessary in order to improve communication and understanding. Better compliance will ultimately be the result.
PRACTICE TIP:
- Regularly evaluate training and orientation materials to ensure industry specific terminology is defined and understandable.
- Utilize the youCompli system as a centralized hub for new and existing compliance processes and utilize the included model procedures throughout the various areas of your organization.
RESOURCES:
Health Care Compliance Association (HCCA) Compliance Dictionary found at https://www.hcca-info.org/publications/compliance-dictionary
Health and Human Services (HHS), Office of the Inspector General (OIG), Work Plan Appendix B: Acronyms and Abbreviations found at https://oig.hhs.gov/publications/workplan/2011/wp09-appx_b_acronyms.pdf
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Collaboration Between Compliance and Risk: What is Permissible?
Compliance departments, generally speaking, guide staff and boards of directors to comply with the requirements, laws and regulations that govern the organization’s business. They also monitor for compliance via internal audits. Risk departments, on the other hand, address ways to mitigate risk to an organization through such activities as the evaluation and purchase of insurance policies. Given the broad nature of the scope of these two departments within the organization, when is compliance and risk collaboration permissible?
Possible collaborations
- Strategic planning: Collaboration here should include not only compliance and risk but the entire organization and the board of directors, if applicable.
- Disaster response and business continuity: As with strategic planning, disaster response and business continuity planning should also involve input and collaboration from all departments in the organization.
- General security and privacy : Here the compliance/privacy officer, information technology/security officer, and risk management director should all be included in the planning.
- Known security threat and/or breach incident: Compliance, information technology (IT), and risk management would all participate in mitigating a security threat or breach incident on the organization. Each would provide input and guidance on their respective areas of knowledge.
- Risk assessments, gap analysis and mitigation plans: Again, the development of these plans should include leaders from the entire organization; moreover, compliance and risk would specifically collaborate on the assessment, analysis and mitigation activities.
- General policy development: Compliance and risk staff can collaborate and provide feedback and input for all organization policies.
- Record and document retention schedule: Here compliance and risk can collaborate with legal counsel to ensure record and document retention policies comply with state and federal laws.
- Staff education: This is an area where compliance and risk can collaborate to provide training, whether it is done in person, virtually, by email or via online course.
Collaborations to vet and evaluate permissibility
- Security breach: As noted above, compliance, IT, and risk will work together once a security breach has been identified. It is important to ensure compliance addresses HIPAA related information and potential reporting requirements; IT evaluates the technical aspects of the breach; and risk focuses on reporting to the insurance carrier and mitigation strategies in conjunction with compliance and IT. These collaborative activities will usually take place under a breach coach or law firm to protect the confidential nature of the breach.
- Shared work areas: Depending on the confidential nature of discussions, say a lawsuit against the organization, it may or may not be appropriate for compliance staff to be privy to such information. So shared work areas should be closely evaluated.
- Shared staff: As with shared work areas, if a staff member such as a registered nurse (RN) is shared between the compliance and risk department, both leaders and the RN must remain in the scope of the job role in which they are working at the time.
- Reporting to the board: Typically, compliance reports to the organization’s leader (such as a CEO) but also has direct or dotted line reporting to the board of directors. Make sure any collaborations with other departments do not create potential conflicts of interest with reporting up this chain of command.
- Committee membership: As with the analysis discussed above, make sure to vet compliance staff member membership on the risk committee and vice versa to avoid any actual or potential conflicts of interest.
Goal
All organizations should work to develop a culture where permissible collaborations between compliance and risk occur. They should also make certain that staff feel comfortable calling the compliance or risk department with potential concerns while ensuring the staff not crossing any lines when it comes to compliance or risk department confidential matters or conflicts of interest.
PRACTICE TIP:
- Evaluate opportunities for the compliance department to collaborate with the risk management team, as noted above.
- Access youCompli to find resources which address required document and record retention requirements.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Sign-up to never miss a compliance related article!
Manage your healthcare regulatory change process effectively and efficiently
YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.
CAN MORAL REBELS ASSIST WITH ORGANIZATION COMPLIANCE?
I recently heard the term “moral rebel” while listening to an SCCE Compliance Perspectives podcast. This piqued my curiosity because I wanted to know if a moral rebel was perceived as a positive. In the podcast, Amherst College Professor Catherine Sanderson explained that a moral rebel feels comfortable standing up to a crowd and will call out bad behavior. Similarly, Scott A McGreal in Psychology Today wrote moral rebels have a strong sense of moral identity and are more likely to act morally under pressure. Politics aside, I think we could use more moral rebels right now, especially in our compliance departments. So, how can moral rebels assist our organizations with compliance? Let’s look at a hypothetical case scenario to find out…
Case Scenario – Chaperone policy
Your organization has chaperone policy which requires a chaperone to accompany the provider and patient for any sensitive examinations involving the genitalia, rectum, groin, buttocks or breasts. The policy states the chaperone may be a nurse or medical assistant.
From a compliance and risk perspective, the policy has been implemented to protect the patient, the provider and the organization from potential allegations of inappropriate touching. Education should be done with the providers to ensure the policy is followed regardless of patient and provider gender. The policy is written this way because the anatomical gender may not reflect the gender a patient ascribes to, relates to, or identifies as.
If a sensitive examination needs to be performed, a chaperone must be present during the examination and their name should be documented in the visit note. If, however, after being educated about the need for a chaperone during the sensitive examination the patient declines a chaperone, this should be witnessed by the provider and another staff member and documented in the visit note by the provider including the name of the staff member who witness chaperon declination.
Potential non-compliance with the chaperone policy
Jesse is a medical assistant who works in a pediatric and adolescent clinic. Jesse observes a provider who identifies as male take a patient who identifies as female into an examination room alone. Since Jesse prepped the patient’s chart the night before, Jesse knows the patient is here for abdominal cramps and irregular menstrual bleeding. Moreover, Jesse prepared the exam room to ensure the provider had a speculum and gel available for a vaginal exam. During the patient’s visit, Jesse is never called into the room. While accompanying another patient to the lab for a blood draw, Jesse sees the female patient checking out at the front desk. Jesse wonders who chaperoned the patient’s visit because the only other medical assistant is on lunch break.
Ability to stand up / come forward
In the case scenario above, Jesse would be deemed a moral rebel by speaking up and confirming whether the chaperone policy was followed by the provider. If uncomfortable discussing with the provider directly, Jesse may report concerns to the nurse manager for follow up. In an organization where moral rebels are valued the nurse manager would support a culture where moral rebels are not afraid to come forward if organization policies are not being followed or there was potential harm to a patient or another staff member. Moreover, the nurse manager and compliance would ensure there was no retaliation against Jesse.
PRACTICE TIP:
- Educate staff on policies, such as the chaperone policy, and then monitor compliance with that policy.
- Foster an environment for moral rebels – individuals who are driven by morals to do the right thing – to bring potential issues to the attention of leadership or compliance without fear of retaliation.
- Utilize youCompli to ensure you are up to date on laws, regulations, and reporting related to required compliance policies, such as a chaperone policy.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Weaknesses in Internal Controls: How to Manage and Mitigate Vulnerabilities
Revised September 2022
Risk in US Healthcare
It is incredibly difficult to turn off “work brain” after the day is done. Thoughts and questions keep creeping in during off work time, personal time.
For example, did I send the new state law privacy requirements to our IT security team to review? Are the staff following and appropriately documenting for telehealth reimbursement? Or what should be my priorities on Monday morning? These questions all represent potential weaknesses in internal controls. Let’s explore what can be done to mitigate or decrease any vulnerabilities.
It is important to have appropriate internal controls supported by open communication between colleagues, and forthright reporting to both compliance and risk departments in an organization.
Since organizations are still run by humans, there remains the potential that one human sets up a call to discuss a topic (like a regulatory change), and inadvertently forgets to invite all the other humans affected by the change. Having a process in place where an employee discusses a need to meet with his or her supervisor can help ensure you’ve got the right humans at the table.
Internal controls must also be communicated to the staff so they can adhere to the organization’s expectations and policies. This is where education, early and often, that includes the why behind the internal control, can provide the best results to reducing any vulnerabilities.
Top Areas of Risk
Top areas of risk to a healthcare organization include weaknesses or vulnerabilities in security, documentation, operations, and staff performance. Let’s consider the following:
- The risk focus for organizational security typically includes areas like information technology (IT) and physical buildings. Cybersecurity data leaks or active shooters are examples of each.
- Incomplete, non-existent, or fraudulent medical record documentation is another large risk for health care organizations.
- Lack of clear policies, procedures, or protocols (PPPs) present huge risks to the organization as employees may act in a way which is not in compliance with PPPs.
- And finally, human error, even if unintentional, can present costly risks to the organization, such as a Stark law violation. Both the strongest and the weakest internal control for health care organizations involves the staff. Take cybersecurity: many data leaks come from staff clicking on the wrong link or attachment and letting the “bad guys in” to the network. The same is true when an employee lets someone in the building on their badge scan rather than making them badge in themselves.
Mitigate Risks
Risk mitigation is an organizational strategy to prevent or decrease the impact of mistakes or unanticipated outcomes when they occur. One strategy is to implement organizational controls, such as PPPs along with checklists and tools, to either prevent or decrease organizational risks.
- A primary and effective way to mitigate risks to the organization is to empower the employees with knowledge. Don’t just have employees complete compliance and risk education online. Go out and meet the staff and answer their questions in real time! Or encourage them to call or email their questions and provide timely follow up.
- Risk and compliance departments should foster a culture of early reporting by staff when there is a mistake or unanticipated outcome or a deviation from the PPPs. When a staff member makes a report, it is important to document the facts while remaining objective and non-judgmental. (Related: Read Brian Kozik’s story of changing the consequence structure to support a safe to speak up culture)
- Ensure you have a usable system to track internal control weaknesses to manage and mitigate vulnerabilities. Whether this is a manual process or is done through an IT application, make sure you consistently use the internal controls to evaluate and mitigate risks because they change – frequently.
- Review, or if you don’t have them, develop cybersecurity and business continuity plans. These plans should be living documents that are used regularly and revised at least every two years, to ensure compliance and risk topics are current and mitigated. These plans should not just be a book on the shelf or a file on a computer. The risk focus for these plans should include tools to monitor both IT and the physical building risks.
- Commit to being a leader when it comes to promoting an open culture for reporting weaknesses, or breaks, in internal controls so early mitigation strategies can be implemented.
Proactively setting internal controls helps you and your colleagues address mistakes and errors when they inevitably do happen. While there is no failsafe way to ensure 100% compliance with internal controls, or that all employees will do the right thing every time, you’ll be better positioned when staff are educated and equipped to comply with regulations and do the right thing. And in organizations that have an open culture of reporting, both the risk and compliance teams will be aware of the internal control weaknesses so they can implement mitigation strategies early on.
Strong internal controls are critical to effective regulatory change management. YouCompli can enable your collaboration with compliance champions and free your time to focus on relationships and communications. Take a look at our regulatory change management solution today.
Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.
Never Miss a Compliance Related Article
Compliance Training…On-The-Fly
Simplify Compliance Training
One of the biggest potential challenges for any organization is the pace of change within compliance.
Often, these changes create the need to quickly build and deliver regulatory training to large or small groups of staff.
That may sound easy, but it’s not.
- Creating the content takes a lot of your time
- Trying to get people together for a compliance “session” is like herding cats
- Dumping a bunch of generic content into an LMS system is usually counterproductive
- Keeping track of it all in spreadsheets and emails is challenging
A large health system in California had 10 days to create, deliver, and complete training their pharmacy techs on a new privacy waiver they had received.
They turned to youCompli’s Compliance Portal.
The portal gave them everything they needed to quickly, effectively complete the work.
We’ve attached a one-page case-study if you’re interested in learning more.
Training case study
Improving Your Reputation: How to Help Your Healthcare Organization See the Compliance Department in a Positive Light
When the compliance team visits another department, staff responses are usually the same: we must have done something wrong.
This isn’t the response that you want. The compliance department and staff should be seen as approachable, working in a collaborative fashion to make the organization more successful. If the compliance department only comes in to run audits and give “constructive” feedback, then compliance will quickly become known for negativity and criticism.
Collaboration
It is important to collaborate with other departments and incorporate a holistic organizational approach. This means valuing what other team members have to offer with regards to compliance in the organization. It can be easy for compliance professionals to make black or white statements regarding compliance with a specific regulation or policy. After all, it’s there in writing — in black and white.
But, other teams can sometimes bring to light another perspective. There may be gray areas in the written requirements or overall process and addressing these could benefit the organization without compromising compliance.
Or, compliance professionals could demonstrate openness to evaluating how requirements and regulations are impacting specific operational workflows. For example, when evaluating a compliance process for telehealth visits related to obtaining consent, the operations leader should be given an opportunity to work with compliance in developing the process.
In-Person Education
One approach to improving collaboration with other departments is to conduct in-person education and question and answer (Q&A) sessions. Ask all department leaders if you can have ten (but no more than fifteen) minutes at their next staff meeting to introduce the compliance team and to solicit compliance-related topics and questions. Before the meeting, make sure to get the department leader to provide two to three compliance-related topics that would be of interest to their team. Prepare a short slide presentation to use in the meeting — typically, one slide per topic and one Q&A slide at the end.
During the meeting, make sure to leave at least five minutes for compliance Q&A. Listen to the staff questions and solicit information on challenges or knowledge gaps related to compliance, so follow up can be done with the that department or team.
Follow-Up Education
Follow up should be timely (within three to four weeks) and can be done a few different ways: short videos, posts on the internal intranet or website, email education, or additional in-person follow up education. There are several excellent (and free) applications available online where you can create short, two- to three-minute compliance videos that can then be distributed to staff.
Follow-up education could also be done by email if the topic and question and answer lends itself to an email response. For example, if staff ask a question about HIPAA’s application to texts or emails, it would be fairly easy to find a one-page summary on the application of HIPAA to texts and emails and attach that to an email.
Volunteers
Another way to improve collaboration would be to have compliance staff volunteer to participate in organization committees not directly related to compliance. For example, compliance professionals could join the policy committee or the activities committee. In this way, the compliance team can develop positive relationships with others in the organization, in an open and approachable way.
Practice Tip:
- Reach out to at least 3-4 departments before the end of the year to schedule and conduct in-person meet and greets with a focus on compliance education.
- Utilize services such as youCompli to stay current on compliance topics and regulations to present during your meet and greet meetings.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.