Risk and Compliance in Healthcare Organizations: The Department of Justice’s 2020 Guidance on Corporate Compliance Programs

The Department of Justice has just issued updated Guidance on the evaluation of corporate compliance programs. This document is the latest in a series of Guidance documents (prior versions were issued in 2017 and 2019) issued by the DOJ to assist prosecutors who are investigating potential criminal acts in business organizations. What implications does this have for healthcare compliance?

When it comes to healthcare organizations, the DOJ will typically defer to the agencies with specific healthcare responsibility, such as the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services (HHS). However, the DOJ guidelines are often relied upon as a “best practice” for developing a corporate compliance program, including a healthcare compliance program. The DOJ is also likely to incorporate healthcare-specific guidelines (such as the Seven Elements of an Effective Compliance Program) along with its own Guidance documents, rather than defer entirely to another agency.

DOJ Guidance Documents Explained

Generally speaking, the DOJ issues these guidance documents in an effort to show transparency to both organizations and attorneys. The intent is essentially prophylactic — that is, here’s what we’re going to be looking for, so make sure that you’re following this; and if you aren’t, you can’t be surprised that we’re asking.

This guidance document is slightly unusual in terms of its strength and scope. It provides all federal prosecutors with a strong mandate to assess and evaluate all aspects of a compliance program, regardless of the industry or nature of the putative misconduct. In other words, as part of a broader criminal investigation, the DOJ will review a compliance program, and use this document to guide their investigation into whether that program was at a sufficiently high standard — or not.

There are three overall questions on which this Guidance is built, along with a number of more specific inquiries to guide prosecutors in determining what, if any, consequences should be applied to the organization. These could include prosecution, monetary penalties, and additional compliance obligations (such as reporting).

Question 1: Is the compliance program well-designed?

The Guidance makes specific reference to a formal risk assessment and resource allocation process. This not only means that a compliance program must start with a risk assessment, but risk assessments must be reviewed and updated periodically, and updates must be made to policies, procedures and controls as necessary, throughout the organization.

The Guidance spins out a number of other specific requirements as well, such as training and communication, and reporting and internal investigations. The punchline, though, is that everything comes out of the risk assessment. Every process and procedure that makes up the compliance program must be aligned with the risks identified by the ongoing risk assessment process.

This means that, at a bare minimum, it is essential that a good compliance program have a strong risk assessment behind it. That assessment must be revisited at regular intervals, and changes in internal controls will need to be regularly made.

Question 2: Is the program effectively implemented?

The DOJ is distinguishing here between what we could call a “real” program, as compared to a “paper” program. In other words, are there appropriate resources to make the program function the way it was designed? Does senior management buy in to the program, and endorse it at a cultural level throughout the organization?

While a risk assessment is where a compliance program begins, the Guidance makes clear that it is in ongoing management and implementation that a compliance program comes to life. Without significant time and resources invested to build the compliance program into the way the organization functions, the program is not going to be sufficient, and the organization will vulnerable to potential penalties.

Question 3: Does the program actually work?

This backward-looking question is intended to assess whether the program was well-designed and well-implemented for the particular organization within which it operates. That is, if misconduct has occurred, was this because the program wasn’t the right program for this organization? Or was the program functioning well, and the misconduct resulted from something else? (DOJ acknowledges that no compliance program will ever prevent every incident of misconduct.)

What DOJ is ultimately looking for here is whether the program changes over time, in response to changes in the organization. If there is misconduct, is it investigated? Are opportunities identified for improving the compliance program to prevent the misconduct in future? Have these remediation efforts actually been implemented? And so on.

Best Practices

Overall, the DOJ has provided a set of clear guidelines that should be used to not only develop new compliance programs, but assess existing ones. Programs which do not live up to the DOJ’s requirements on risk assessments, program implementation, and continuous improvement are more likely to be found to be inadequate. And an inadequate compliance program leaves a healthcare organization at risk.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

How to Juggle Medicare and Medicaid Compliance in a Fluid Regulatory Landscape

Do you treat patients insured by Medicaid or Medicare at your hospital? While participation is voluntary for for-profit healthcare systems, accepting Medicaid and Medicare patients is a condition of federal tax exemption for non-profits. Currently, Medicare and Medicaid account for more than 60 percent of care provided by hospitals making it nearly impossible for healthcare systems to forgo these programs.

So, if the stark reality is that you must participate, compliance becomes an issue. And it’s complex. Especially for hospitals that have multiple outpatient locations and inpatient campuses. Under Medicare provider-based rules, it’s not possible to certify just part of the system. When you consider there’s nearly a 500-page certification process, it’s clear that it’s crucial to have effective compliance tracking.

An effective compliance program is multi-faceted and includes monitoring and auditing, legal reviews of procedures and contracts, reporting mechanisms as well as training for employees. Healthcare systems are multi-faceted too with labs, pharmacies, rehabilitation centers, clinics, surgery centers and more. Keeping on top of compliance not only to effectively report but to identify and then prevent misconduct before it balloons into a much bigger problem is anything but easy.

The Centers for Medicare & Medicaid Services has attempted to streamline information into quarterly updates for providers, suppliers and the public. While this helps curate the information and updates to regulations, management and oversight of compliance and putting these regs into practice represents an enormous task for each healthcare system. The distance between knowing and doing can be vast when providers are juggling regulations alongside providing quality patient care. Maintaining oversight of not just the Medicare and Medicaid federal regulations, but compliance with other state and local regulations is required.

The regulatory landscape continues to be muddled with additional requirements to safeguard privacy and to fight fraud and abuse today. Since governing bodies are vigilant about fighting fraud, your compliance process needs to be tight or you’ll risk criminal charges, fines and even the possibility of losing licenses. Every state has its own Medicaid Fraud Control Unit (MFCU), typically as part of the State Attorney General’s office. When your compliance tracking system is thorough, the auditing process and working with your MFCU becomes simpler.

Streamline Compliance Tracking

If your hospital is juggling Medicare and Medicaid payment compliance along with all the other mandates and reporting requirements, it can easily get overwhelming. But, it doesn’t have to be that way. Solutions such as youCompli’s compliance system monitors and translates Medicare and Medicaid regulations for easier understanding. Then, it helps you track and oversee your hospital’s compliance.

If you’re ready to take the headache out of Medicare and Medicaid compliance, it’s time to see what a compliance management system can do for you. Schedule a call today where you can see how our risk management software can support your healthcare system’s compliance program.

LTCs Could Use Some Compliance TLC This Year

You can’t say they didn’t warn us.

For almost four years, since November 2016, the LTC Final Rule for qualifying to receive Medicare and Medicaid payments has been looming like a little dark cloud on the horizon, getting bigger and closer each year.

Now, a streamlined version of the HHS Office of Inspector General’s (OIG) recommendations and guidance have become mandatory. And the Centers for Medicare & Medicaid Services (CMS) is tasked with enforcing them. In full.

To begin with, you’ll need to have a fully detailed, written compliance and ethics program for increasing quality of care and preventing “criminal, civil, and administrative violations” and abuses. Since the OIG recommendations, which you’re familiar with, already cover such programs, that shouldn’t be a huge problem.

You’ll also need to designate your CEO, a board member, an operating division head, or, for smaller LTC facilities, a compliance officer, to be in charge of implementing every aspect of the program. Again, determining which “high-level personnel” to designate shouldn’t be a huge problem either.

Then, you’ll need to actually implement the program and document compliance.

That’s the hard part.

The program will have to include everything from pre-employment screening to person-centered care, special diets, crime and abuse prevention, and a compliance hotline that preserves whistleblowers’ anonymity and prevents retribution.

What’s more, you’ll need to break the program into specific steps and train not only each member of your full- and part-time staff, but also your contractors in the parts of the program that affect their duties.

And then you’ll need to track, audit and report on compliance, every step of the way. Are your current procedures up to the task? Is your IT?

That’s where the TLC comes in.

What if someone could monitor regulatory changes for you, and translate them from legalese into clear business requirements in everyday English?

What if they could give you policies and procedures that comply with the regulations, but that you can tailor to your own facility?

If they could tell you exactly which policies and procedures to follow, which tasks to perform, how, and by whom in your organization, and generate reports on each step towards compliance?

If they gave you the capability to track, audit and report on every step of the compliance process, at any time, with just a few mouse clicks?

Could your LTC use that kind of TLC? If so, click here to learn more.

Understanding and Managing the HIPAA Security Rule

Protecting the privacy of patients is of paramount concern to healthcare organizations today. Data breaches and/or hacking attempts are happening more frequently. Regulatory requirements are constantly changing. And the pace of technology innovations keeps increasing. The penalties, both financial and reputational, can be disastrous for any organization — and its compliance team — that is not prepared and in the know at all times

For example, recently a healthcare institution mailed hundreds of patient statements, containing names, account numbers and payments due, to wrong addresses. The organization believed that, for most of these statements, this was not a reportable breach, because there was no patient diagnosis, treatment information, or other medical information listed.

This was not correct. And the failure to understand the rule and its nuances resulted in a $2 million settlement.

The HIPAA Security Rule is the hedge against that kind of disaster  —  so grasping its complexity is crucial.

The regulations that comprise the Security Rule are often the most difficult to understand and implement, as every security compliance measure must be carefully monitored and reported. Not only are all healthcare organizations required to meet the standards and legal requirements in the Security Rule, there can also be implementation specifications which include provide detailed instructions and steps needed for compliance.

From an administrative perspective, HIPAA requires a documented framework of policies and procedures. These policies and procedures detail exactly what your organization does to protect key information. For example, policies can outline the requirements for training for all employees, including those who do and do not have direct access to vital patient information.

The documents that outline the policy and procedure framework must be retained for at least six years (although state requirements may mandate longer retention periods). As policies change, so must your accompanying documentation. And to further ensure your compliance, periodic reviews of policies and responses to changes in the electronic patient health information environment are also recommended.

From a security perspective, HIPAA requires a comprehensive evaluation of the security risks your organization faces, as well as the electronic health record technologies your organization uses.  This includes a combination of physical safeguards — such as IT infrastructure, computer systems and security monitoring systems — and technical safeguards — such as risk management software, healthcare management software or regulatory software. These safeguards are designed to both protect patient information and control access to it.

Fortunately, the Security Rule allows for scalability, flexibility and generalization. This means that smaller organizations are given greater latitude in comparison to larger organizations that have significantly more resources. HIPAA’s security requirements are also not linked to specific technologies or products, since both can change rapidly. Instead, requirements focus more on what needs to be done and when, and less on how it should be accomplished.

Managing the complexity of the HIPAA Security Rule can be easier. At youCompli, we help you identify, document and monitor your critical HIPAA information. We understand the time and resource constraints that compliance officers operate under — the need for quickly collecting and accessing quality data and reporting it. Our solutions enable you to remain up-to-date with healthcare regulations — what they mean and how to implement them with precision accuracy in cost-efficient and effective ways. Contact us for more information on how to approach and implement the Security Rule and remain in compliance.

Michigan’s Massive Licensing Reg – Processed, Translated and Defined

We process a lot of regulatory changes in the course of business, across both the state and federal landscape. Usually, the more voluminous changes come from the federal level — but a recent new state regulation from Michigan really stood out.

At over 50 pages, titled “Licensing for Health Facilities or Agencies”, it is one of the longer state regulations that has come through our process. The average state document tends to be a couple of pages long and is often simply an amendment to existing rules. This Michigan reg bucks the norm — which just goes to show that, even in the face of a global pandemic, the regulatory world keeps turning.

Essentially, this new reg creates a whole new 10-part set of rules. While the overall regulation involves licensing for facilities, the parts involved touch a wide variety of areas and departments within a healthcare organization. Administrative and patient records, HR, facility maintenance and upkeep, patient rights, security, and outpatient surgical facilities — you name it, this regulation applies to it.

Our expert team broke the regulation down into 9 requirements, written in easy-to-understand terms, to clearly define how the regulation impacts hospitals and what needs to be done to comply. Breaking down a large regulation this way allows us to:

  1. Pinpoint the individual areas of an organization being affected,
  2. Tune in to specific issues involved with each functional area of an organization, and
  3. Ensure an easy-to-understand business requirement is the result.

From 50 pages to 9 clear business requirements, each directed at a particular area of the hospital. No need for any youCompli customer to read this monster regulation — once you log in to the system, we’ll take you through what you need to know, and what steps you need to take to comply.

Want us to do the same for your organization and the regulations you’re managing? Set up a quick meeting here and let’s get started.

Privacy vs. Transparency: You’re in the Middle

Since 1996, HIPAA has required hospitals and other providers to strictly maintain the privacy and security of patient and clinical records.

In 2010, the Affordable Care Act (Obamacare) required them to digitize those records for greater transparency.

Today, some 96% of hospitals and 78% of doctors’ offices use electronic health records.

As a result, patients can instantly access the notes from their doctor visits, review their prescriptions, see their lab results, and email questions to the doctor(s) they’ve been seeing. And doctors, whether primary care providers or specialists, can have a patient’s personal information and medical history right at their fingertips.

Unfortunately, so can others.

In 2018, a total of 18 million patient records were hacked and phished. In just the first half of 2019, almost twice as many – 32 million – were.

Clearly, there’s a tug of war between privacy and transparency, and hospitals are the rope.

In 2018, the last year for which complete figures are available, hospitals paid out an average of more than $2.5 million in settlements and civil monetary penalties. That year, the HHS Office of Civil Rights conducted a total of 25,520 complaint and compliance review investigations. And even if the vast majority don’t lead to cash penalties, even the mildest OCR action – resolution after intake and review – can still cost you staff hours and money.

That’s one reason it pays to keep on top of all the latest HIPAA and ePHI changes.

Another is on the horizon for this year. Throughout 2019, OCR has been considering HIPAA regulation changes, and at least some of those should become final this year. Some of those could include easing “aspects of HIPAA Rules that are proving unnecessarily burdensome for HIPAA covered entities and provide little benefit to patients and health plan members.”

Others involve making it easier for hospitals and doctors to coordinate, and requiring instead of just allowing hospitals to share ePHI data with other providers.

That’s why alerts to changes practically as they occur, determining how they apply to you, then implementing and documenting compliance with no wasted time or money makes for good self-defense.

In the battle between privacy and transparency, see how we can keep you out of the crossfire.

Is Your Budget Keeping Pace With Your Workload?

Every admission to a hospital triggers $1,200 in regulatory compliance costs, according to an American Hospital Association (AHA) report.

That’s because each hospital with post-acute care beds has to comply with 629 different federal regulations – plus any and all new ones that come along.

Best practices call for you to be constantly scanning the Federal Register and other sources, not just for new regulations but also for changes to old ones. To translate them from “Regulish” to English, so you can analyze what they mean. To decide which parts of which regulations apply to your hospital. To define and assign compliance tasks. And to update your IT, if needed, to monitor and document compliance.

That doesn’t come cheap.

An average 161-bed community hospital spends more than $7.5 million a year on federal compliance – $9 million if it has PAC beds. Plus an average of $411,000 on IT upgrades each year to monitor and document compliance.

While your compliance department is doing this, compliance departments at another 6,145 US hospitals are doing the exact same thing, the exact same way, running up the same kinds of costs.

No wonder American hospitals and health systems spend more than $38 billion a year duplicating each other’s compliance work.

But what if there were one online expert source that could cut out all that needless duplication? That could tell you what you need to know and let you manage your own hospital’s compliance progress in real time, 24/7/365, with just a few mouse clicks?

There is. And it can cut compliance costs through economies of scale, the way Henry Ford did for cars.

With more regulatory changes in the pipeline every year, you’re going to need more budget, more staff and more other resources. Odds are three-to-one you won’t get them. A 2018 study reported that fully 75% of compliance officers surveyed predicted that their budgets would either stay the same or get cut.

Want to beat those odds? Then you’ll want to learn more about a system that lets your compliance department accomplish more for much less.