AHA and CMS to Keep Regulatory Flexibilities in Place

COVID-19 continues to create obstacles and challenges for healthcare compliance professionals. Thriving in this environment means being agile and adaptive.

The AHA’s Requests

Last week, the American Hospital Association (AHA) asked the Centers for Medicare & Medicaid Services (CMS) to keep relaxed regulations in place. Specifically, the AHA is interested in keeping flexibility around telehealth, quality and compliance measures, and bed capacity.

The telehealth changes are ones that have been on the horizon for some time. Essentially, the AHA is asking CMS to continue to allow hospitals to provide a wide range of telehealth services, without limitations as to profession or geographic location. The AHA is also asking for flexibility on billing and payments related to telehealth to be made permanent.
More interestingly, the AHA has also asked that CMS extend regulatory relief related to some quality and patient safety regulations. These include expanding the use of verbal orders, and extending the reuse of PPE.

The AHA has also asked that CMS provide hospitals with a transition period, to allow them to more easily move from pandemic response to ordinary practice. This includes a request for temporary waivers for sanctions and penalties related to HIPAA , and flexibility on audit requirements. And, it includes a request that certain rules and requirements be delayed or suspended.

The Response From CMS

Three days after the AHA released this letter, Michael Caputo, Assistant Secretary for Public Affairs at the Department of Health and Human Services (HHS), tweeted this :


The public health emergency is currently set to expire on July 25. However, as of this writing, HHS hasn’t officially announced how long the extension will be

This means that we don’t yet know what will happen when the emergency finally does end. Will HHS give a transition period, as the AHA has requested? Will HHS continue to allow flexibility about telehealth, which they have previously indicated they would?

Staying up to date on this fluid situation is going to be a key task for compliance in the coming weeks.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

The Results Are In: What the Data Say About the Impact of COVID-19 on Healthcare Compliance

We keep hearing that COVID-19 changed everything, especially in healthcare. But actual data is pretty thin on the ground.

Mostly, we’ve been hearing anecdotes and stories, many of which are striking. The problem with stories is that they can be unique or unusual, and without the context of clear data, we can’t really tell.

Last week, we got some data.

In May, the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) surveyed their audiences on the impact of COVID-19 on their organizations and their work. They received 300 responses, have collated the results, and there are some interesting trends. You can read the full survey results here.

Confirming What We Knew

Some trends are unsurprising, and confirm what we already knew. Survey respondents said they had concerns about the increased risk of compliance failures as a result of the pandemic.

  • 77% expected that there would be some increase, or a great increase, in compliance failures.

It’s also unsurprising to see that healthcare saw more of an increase in the number of inquiries being made of the compliance team.

  • 42% reported an increase in healthcare
  • 30% reported an increase outside of healthcare

Given the number of healthcare-related regulatory waivers and temporary changes that have been issued, this makes total sense.

Positively, collaboration with other departments has been largely unaffected or increased during the pandemic. Compliance is still seen as really valuable to the organization as a whole. The numbers range from 83% to 96% of respondents reporting that collaboration has stayed the same or increased (depending on department).

Differences for Healthcare Compliance

The data also show some surprising trends, specifically related to healthcare compliance.

We know that there has been a huge shift to remote work. The surprising aspect is that the shift is very different between healthcare compliance and compliance elsewhere.

  • In healthcare, 60% reported working remotely
  • Outside of healthcare, 84% reported working remotely

This gap is big, and hard to explain. Working in healthcare institutions would, presumably, increase the risk of being exposed to the virus. It would have been reasonable to expect that healthcare institutions would do as much as possible to try to get their non-clinical staff set up to work effectively off-site.

What’s even more surprising is that healthcare professionals are less likely to report that the transition to remote work has gone well.

  • In healthcare, 47% said the transition had gone better than expected
  • Outside of healthcare, 64% said the transition had gone better than expected

The survey doesn’t indicate why this is so. Speculating a little, it could be that the disruption in moving to a remote office, coupled with the sudden influx of regulatory changes, made it more difficult for healthcare compliance professionals to manage their day-to-day work. If this is true, it would also explain why healthcare institutions were less likely to transition compliance professionals to remote work.

There’s another difference between healthcare and other types of organizations, and this suggests things will be difficult for compliance professionals going forward into 2021. In relation to budgets:

  • In healthcare, 40% reported a budget reduction
  • Outside of healthcare, 31% reported a budget reduction

In short, budget reductions are coming to compliance, as they are going to come to other parts of the healthcare system. (If they aren’t already in place.) As COVID-19 related waivers and suspensions start to expire, compliance is going to have to find a way to do more with fewer resources.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

The New Office of Burden Reduction and Health Informatics: Implications for Healthcare Compliance

You may have heard that, last week, the Centers for Medicare & Medicaid Services (CMS) announced the creation of a new office: the “Office of Burden Reduction and Health Informatics.”

What exactly is this new office supposed to do? According to the press release from CMS, the intent is “to unify the agency’s efforts to reduce regulatory and administrative burden and to further the goal of putting patients first.”

All well and good. But what does that actually mean?

Value-Based Care

Here’s one thing that CMS says clearly. They are “committed to leveraging the significant flexibilities introduced in response to the COVID-19 pandemic as we continue to lead the rapid transformation to value-based healthcare.”

We’ve all been hearing about value-based care for years. (Here’s a piece from 2016, for example.) The pace of change hasn’t been particularly speedy, and the pandemic has disrupted most big transformative plans, especially in healthcare.

That said, the Department of Health and Human Services (HHS) is still committed to value-based care. If reducing or streamlining the regulatory environment is necessary in order to make this change happen, you can bet that HHS and CMS will do it.

What specific regulations will CMS change in order to make this happen? That remains to be seen. Recently, CMS did announce that they will be maintaining at least some of the regulatory changes related to telehealth.

Which ones? We know of one rule change that CMS has announced: the proposed physician fee schedule rule, which should come out in July, will include proposals to permanently expand coverage for telehealth services. As of this writing, the rule has not been published, and CMS has not announced details.

With that exception, however, there hasn’t been a lot of movement on specific regulations that could be helpful. In fact, our observations suggest that most regulators are moving back to business as usual. If CMS has plans to streamline regulations to enable the transformation to value-based care, they are keeping those plans very close to the vest.

Improved Review

However, CMS commits clearly to increasing the number of stakeholders – including clinicians, providers and health plans – that it engages with when assessing the impact of new regulations.

This could be a welcome change for compliance professionals, as a more comprehensive assessment of regulatory impact could result in a regulatory environment that’s a lot easier to work within. Clearer regs with reduced expectations would mean less work required by the clinical and revenue cycle staff in your organization.

And that would mean less time spent following up and trying to get staff to do the work.

Health Informatics

CMS has also committed – as indicated in the second half of the new office’s name – to further implement health informatics. The idea here is to effectively use health data in order to provide better care.

CMS gives this as a specific example: “to create new tools that allow patients to own and carry their personal health data with them seamlessly, privately, and securely throughout the health care system.”

This proposal has obvious advantages for both patients and providers. But it could cause significant headaches for compliance.

Staying in compliance with an EHR system for just one health system is challenging enough. What CMS is proposing is an EHR system that applies across all Medicare and Medicaid beneficiaries. This would be much more complicated! The HIPAA implications alone could be staggering.

So, the use of health informatics could make the work of compliance much more challenging. We can all expect that there will be more data available and being used, and more complex tools to manage it. This trend exists across almost all industries, and healthcare is not going to be an exception.

In a highly regulated environment like healthcare, however, big data and big data tools will need to be monitored very carefully. There are a lot of ways that data tools could violate regulatory requirements. If compliance professionals aren’t careful, software and other tools could be put in place that expose the organization to high levels of risk.

Staying Up to Date

As of this writing, there is limited information as to what the Office of Burden Reduction and Health Informatics will be doing for the US healthcare system. It has a broad mandate, with unclear specifics.

There is a possibility that the office will make compliance easier, by more effectively assessing the impact of regulations before imposing them. There is also a (stronger) possibility that it may make compliance more challenging, by creating wide-ranging technological systems that compliance officers will need to monitor carefully.

As new regulations are issued, and new announcements are made, we’ll be keeping you updated. youCompli customers always have access to the latest regulatory changes as they come out and will be well-positioned to adapt to the environment created by his new office.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

Not All COVID-19 Regulations Are Created Equal

You’re struggling to keep up with all the regulatory changes that COVID-19 has created.

Many of these changes have been short and straightforward… but not all of them.

After analyzing one CMS reg (85 FR 27550), we created a 19-page policy document!

The reg’s primary purpose expanded the range of practitioners who can order — and thus be compensated by Medicare and Medicaid — home health services. It also covers a wide range of other revisions for testing, telehealth, medical equipment, and so on.

Our system broke the regulation down into its core requirements — that is, the pieces of the reg that healthcare compliance and clinical professionals need to know about. Then it was reassembled into this document and placed in an order that makes sense.

You can view the whole document by clicking this link.

Every change to a previous procedure is highlighted in red, and it includes hyperlinks to skip around.

Everything is written in clear language, so it’s easy to follow and implement.

Want us to do the same for your organization and the regulations you’re managing? Set up a quick meeting here and let’s get started.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

Risk and Compliance in Healthcare Organizations: The Department of Justice’s 2020 Guidance on Corporate Compliance Programs

The Department of Justice has just issued updated Guidance on the evaluation of corporate compliance programs. This document is the latest in a series of Guidance documents (prior versions were issued in 2017 and 2019) issued by the DOJ to assist prosecutors who are investigating potential criminal acts in business organizations. What implications does this have for healthcare compliance?

When it comes to healthcare organizations, the DOJ will typically defer to the agencies with specific healthcare responsibility, such as the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services (HHS). However, the DOJ guidelines are often relied upon as a “best practice” for developing a corporate compliance program, including a healthcare compliance program. The DOJ is also likely to incorporate healthcare-specific guidelines (such as the Seven Elements of an Effective Compliance Program) along with its own Guidance documents, rather than defer entirely to another agency.

DOJ Guidance Documents Explained

Generally speaking, the DOJ issues these guidance documents in an effort to show transparency to both organizations and attorneys. The intent is essentially prophylactic — that is, here’s what we’re going to be looking for, so make sure that you’re following this; and if you aren’t, you can’t be surprised that we’re asking.

This guidance document is slightly unusual in terms of its strength and scope. It provides all federal prosecutors with a strong mandate to assess and evaluate all aspects of a compliance program, regardless of the industry or nature of the putative misconduct. In other words, as part of a broader criminal investigation, the DOJ will review a compliance program, and use this document to guide their investigation into whether that program was at a sufficiently high standard — or not.

There are three overall questions on which this Guidance is built, along with a number of more specific inquiries to guide prosecutors in determining what, if any, consequences should be applied to the organization. These could include prosecution, monetary penalties, and additional compliance obligations (such as reporting).

Question 1: Is the compliance program well-designed?

The Guidance makes specific reference to a formal risk assessment and resource allocation process. This not only means that a compliance program must start with a risk assessment, but risk assessments must be reviewed and updated periodically, and updates must be made to policies, procedures and controls as necessary, throughout the organization.

The Guidance spins out a number of other specific requirements as well, such as training and communication, and reporting and internal investigations. The punchline, though, is that everything comes out of the risk assessment. Every process and procedure that makes up the compliance program must be aligned with the risks identified by the ongoing risk assessment process.

This means that, at a bare minimum, it is essential that a good compliance program have a strong risk assessment behind it. That assessment must be revisited at regular intervals, and changes in internal controls will need to be regularly made.

Question 2: Is the program effectively implemented?

The DOJ is distinguishing here between what we could call a “real” program, as compared to a “paper” program. In other words, are there appropriate resources to make the program function the way it was designed? Does senior management buy in to the program, and endorse it at a cultural level throughout the organization?

While a risk assessment is where a compliance program begins, the Guidance makes clear that it is in ongoing management and implementation that a compliance program comes to life. Without significant time and resources invested to build the compliance program into the way the organization functions, the program is not going to be sufficient, and the organization will vulnerable to potential penalties.

Question 3: Does the program actually work?

This backward-looking question is intended to assess whether the program was well-designed and well-implemented for the particular organization within which it operates. That is, if misconduct has occurred, was this because the program wasn’t the right program for this organization? Or was the program functioning well, and the misconduct resulted from something else? (DOJ acknowledges that no compliance program will ever prevent every incident of misconduct.)

What DOJ is ultimately looking for here is whether the program changes over time, in response to changes in the organization. If there is misconduct, is it investigated? Are opportunities identified for improving the compliance program to prevent the misconduct in future? Have these remediation efforts actually been implemented? And so on.

Best Practices

Overall, the DOJ has provided a set of clear guidelines that should be used to not only develop new compliance programs, but assess existing ones. Programs which do not live up to the DOJ’s requirements on risk assessments, program implementation, and continuous improvement are more likely to be found to be inadequate. And an inadequate compliance program leaves a healthcare organization at risk.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

How to Juggle Medicare and Medicaid Compliance in a Fluid Regulatory Landscape

Do you treat patients insured by Medicaid or Medicare at your hospital? While participation is voluntary for for-profit healthcare systems, accepting Medicaid and Medicare patients is a condition of federal tax exemption for non-profits. Currently, Medicare and Medicaid account for more than 60 percent of care provided by hospitals making it nearly impossible for healthcare systems to forgo these programs.

So, if the stark reality is that you must participate, compliance becomes an issue. And it’s complex. Especially for hospitals that have multiple outpatient locations and inpatient campuses. Under Medicare provider-based rules, it’s not possible to certify just part of the system. When you consider there’s nearly a 500-page certification process, it’s clear that it’s crucial to have effective compliance tracking.

An effective compliance program is multi-faceted and includes monitoring and auditing, legal reviews of procedures and contracts, reporting mechanisms as well as training for employees. Healthcare systems are multi-faceted too with labs, pharmacies, rehabilitation centers, clinics, surgery centers and more. Keeping on top of compliance not only to effectively report but to identify and then prevent misconduct before it balloons into a much bigger problem is anything but easy.

The Centers for Medicare & Medicaid Services has attempted to streamline information into quarterly updates for providers, suppliers and the public. While this helps curate the information and updates to regulations, management and oversight of compliance and putting these regs into practice represents an enormous task for each healthcare system. The distance between knowing and doing can be vast when providers are juggling regulations alongside providing quality patient care. Maintaining oversight of not just the Medicare and Medicaid federal regulations, but compliance with other state and local regulations is required.

The regulatory landscape continues to be muddled with additional requirements to safeguard privacy and to fight fraud and abuse today. Since governing bodies are vigilant about fighting fraud, your compliance process needs to be tight or you’ll risk criminal charges, fines and even the possibility of losing licenses. Every state has its own Medicaid Fraud Control Unit (MFCU), typically as part of the State Attorney General’s office. When your compliance tracking system is thorough, the auditing process and working with your MFCU becomes simpler.

Streamline Compliance Tracking

If your hospital is juggling Medicare and Medicaid payment compliance along with all the other mandates and reporting requirements, it can easily get overwhelming. But, it doesn’t have to be that way. Solutions such as youCompli’s compliance system monitors and translates Medicare and Medicaid regulations for easier understanding. Then, it helps you track and oversee your hospital’s compliance.

If you’re ready to take the headache out of Medicare and Medicaid compliance, it’s time to see what a compliance management system can do for you. Schedule a call today where you can see how our risk management software can support your healthcare system’s compliance program.

LTCs Could Use Some Compliance TLC This Year

You can’t say they didn’t warn us.

For almost four years, since November 2016, the LTC Final Rule for qualifying to receive Medicare and Medicaid payments has been looming like a little dark cloud on the horizon, getting bigger and closer each year.

Now, a streamlined version of the HHS Office of Inspector General’s (OIG) recommendations and guidance have become mandatory. And the Centers for Medicare & Medicaid Services (CMS) is tasked with enforcing them. In full.

To begin with, you’ll need to have a fully detailed, written compliance and ethics program for increasing quality of care and preventing “criminal, civil, and administrative violations” and abuses. Since the OIG recommendations, which you’re familiar with, already cover such programs, that shouldn’t be a huge problem.

You’ll also need to designate your CEO, a board member, an operating division head, or, for smaller LTC facilities, a compliance officer, to be in charge of implementing every aspect of the program. Again, determining which “high-level personnel” to designate shouldn’t be a huge problem either.

Then, you’ll need to actually implement the program and document compliance.

That’s the hard part.

The program will have to include everything from pre-employment screening to person-centered care, special diets, crime and abuse prevention, and a compliance hotline that preserves whistleblowers’ anonymity and prevents retribution.

What’s more, you’ll need to break the program into specific steps and train not only each member of your full- and part-time staff, but also your contractors in the parts of the program that affect their duties.

And then you’ll need to track, audit and report on compliance, every step of the way. Are your current procedures up to the task? Is your IT?

That’s where the TLC comes in.

What if someone could monitor regulatory changes for you, and translate them from legalese into clear business requirements in everyday English?

What if they could give you policies and procedures that comply with the regulations, but that you can tailor to your own facility?

If they could tell you exactly which policies and procedures to follow, which tasks to perform, how, and by whom in your organization, and generate reports on each step towards compliance?

If they gave you the capability to track, audit and report on every step of the compliance process, at any time, with just a few mouse clicks?

Could your LTC use that kind of TLC? If so, click here to learn more.

Understanding and Managing the HIPAA Security Rule

Protecting the privacy of patients is of paramount concern to healthcare organizations today. Data breaches and/or hacking attempts are happening more frequently. Regulatory requirements are constantly changing. And the pace of technology innovations keeps increasing. The penalties, both financial and reputational, can be disastrous for any organization — and its compliance team — that is not prepared and in the know at all times

For example, recently a healthcare institution mailed hundreds of patient statements, containing names, account numbers and payments due, to wrong addresses. The organization believed that, for most of these statements, this was not a reportable breach, because there was no patient diagnosis, treatment information, or other medical information listed.

This was not correct. And the failure to understand the rule and its nuances resulted in a $2 million settlement.

The HIPAA Security Rule is the hedge against that kind of disaster  —  so grasping its complexity is crucial.

The regulations that comprise the Security Rule are often the most difficult to understand and implement, as every security compliance measure must be carefully monitored and reported. Not only are all healthcare organizations required to meet the standards and legal requirements in the Security Rule, there can also be implementation specifications which include provide detailed instructions and steps needed for compliance.

From an administrative perspective, HIPAA requires a documented framework of policies and procedures. These policies and procedures detail exactly what your organization does to protect key information. For example, policies can outline the requirements for training for all employees, including those who do and do not have direct access to vital patient information.

The documents that outline the policy and procedure framework must be retained for at least six years (although state requirements may mandate longer retention periods). As policies change, so must your accompanying documentation. And to further ensure your compliance, periodic reviews of policies and responses to changes in the electronic patient health information environment are also recommended.

From a security perspective, HIPAA requires a comprehensive evaluation of the security risks your organization faces, as well as the electronic health record technologies your organization uses.  This includes a combination of physical safeguards — such as IT infrastructure, computer systems and security monitoring systems — and technical safeguards — such as risk management software, healthcare management software or regulatory software. These safeguards are designed to both protect patient information and control access to it.

Fortunately, the Security Rule allows for scalability, flexibility and generalization. This means that smaller organizations are given greater latitude in comparison to larger organizations that have significantly more resources. HIPAA’s security requirements are also not linked to specific technologies or products, since both can change rapidly. Instead, requirements focus more on what needs to be done and when, and less on how it should be accomplished.

Managing the complexity of the HIPAA Security Rule can be easier. At youCompli, we help you identify, document and monitor your critical HIPAA information. We understand the time and resource constraints that compliance officers operate under — the need for quickly collecting and accessing quality data and reporting it. Our solutions enable you to remain up-to-date with healthcare regulations — what they mean and how to implement them with precision accuracy in cost-efficient and effective ways. Contact us for more information on how to approach and implement the Security Rule and remain in compliance.

Michigan’s Massive Licensing Reg – Processed, Translated and Defined

We process a lot of regulatory changes in the course of business, across both the state and federal landscape. Usually, the more voluminous changes come from the federal level — but a recent new state regulation from Michigan really stood out.

At over 50 pages, titled “Licensing for Health Facilities or Agencies”, it is one of the longer state regulations that has come through our process. The average state document tends to be a couple of pages long and is often simply an amendment to existing rules. This Michigan reg bucks the norm — which just goes to show that, even in the face of a global pandemic, the regulatory world keeps turning.

Essentially, this new reg creates a whole new 10-part set of rules. While the overall regulation involves licensing for facilities, the parts involved touch a wide variety of areas and departments within a healthcare organization. Administrative and patient records, HR, facility maintenance and upkeep, patient rights, security, and outpatient surgical facilities — you name it, this regulation applies to it.

Our expert team broke the regulation down into 9 requirements, written in easy-to-understand terms, to clearly define how the regulation impacts hospitals and what needs to be done to comply. Breaking down a large regulation this way allows us to:

  1. Pinpoint the individual areas of an organization being affected,
  2. Tune in to specific issues involved with each functional area of an organization, and
  3. Ensure an easy-to-understand business requirement is the result.

From 50 pages to 9 clear business requirements, each directed at a particular area of the hospital. No need for any youCompli customer to read this monster regulation — once you log in to the system, we’ll take you through what you need to know, and what steps you need to take to comply.

Want us to do the same for your organization and the regulations you’re managing? Set up a quick meeting here and let’s get started.