Compliance officers reflect on COVID pivots and preparing for the end of the public health emergency

Featured speakers: Craig Bennett, Vice President and Chief Compliance Officer, Boston Medical Center; Rachel Lerner, Esq., General Counsel & Chief Compliance Officer, Director, Center for the Prevention of Elder Abuse and Neglect, Hebrew SeniorLife; Maria Palumbo, Chief Compliance & Privacy Officer, Lawrence General Hospital. Moderated by Larry Vernaglia 

Bennett, Lerner and Palumbo addressed the Massachusetts Health and Hospital Association’s Healthcare Legal Compliance Forum in December 2021. (Read a summary.) This recap of their remarks looks at how their Compliance teams responded to COVID and have continued to partner with their organizations to manage regulatory change. It also looks at regulatory changes they are planning for in 2022. To access the full session recording, please contact the Massachusetts Health and Hospital Association.  

Initial COVID response

The panel reflected on their organizations’ initial response to COVID. “All of us had to pivot on a dime,” said Bennett. “We hadn’t had an opportunity to plan for it. Instead, we worked daily that first quarter to make sure we were as compliant as we could possibly be.” He was part of a team that looked at various waivers, platform security, privacy and other issues affected by the public health emergency to provide care safely.  

Lerner had a similar experience. “We immediately convened interdisciplinary committee so we could make changes quickly. Telehealth was really new territory for us, and we had to look at our outpatient medical practice, and home- and community-based care,” she said. “Tracking COVID 19 waivers was a team sport between Legal and Compliance. We broke down some silos, and that may be one good lasting benefit of this experience.”  

Palumbo and her colleagues focused on creating templates and consistency for documentation to make things as straightforward as possible for clinicians. That included having them track their patient contact time in minutes rather than defaulting to 20-minute increments. “We’re auditing these processes now to be sure we’re prepared when it gets looked at externally.”  

Accessibility concerns and solutions

Palumbo illustrated how healthcare organizations had to respond to the specific needs of their communities. “Our population tends not to have computers or printers at home,” she said. It wasn’t enough to deliver COVID test results to the portal, because people needed printed results to return to work or school. Without a printer, they were stuck. “We were like the take-out line at a restaurant – we not only have to contract with the state to provide nine-lane testing, we also have a multiline drive up for picking up your covid test results because people need that hard paper.”  

Building a culture of compliance

Bennett reflected on the tremendous amount of change and adaptation healthcare staff managed over the past two years. “I have to commend all hospital staff in being able to pivot and not missing a beat,” he said. His organization paused or reprioritized certain issues, but they maintained a focus on complying with regulations. That meant checking in with people regularly. That helped him assess whether people were getting the support and resources they needed related to their work. He expects to continue looking for ways to support staff. “We’ll continue to try to add flexibility to meet the needs of our staff and the needs of our patients and organization.” 

Palumbo, too, is working to meet people where they are at. She recently “camped out in the cafeteria,” she said. “I couldn’t believe the results: About 350 people came to talk to me, including residents, physicians, surgeons, nurses, case managers, and housekeeping staff.” They asked about patient privacy and other compliance issues. “So much came up during COVID but we didn’t stop to work through everything or stop to talk to each other. I’ll try to do that at least once a quarter.”  

New compliance issues

Palumbo walked through some upcoming regulatory changes she’s watching. This included the Medicare Final Physician Fee Schedule and noted that the Appropriate Use Criteria changes are delayed until the January first that follows the end of the pandemic. She encouraged everyone to understand the documentation requirements for using nurse practitioners for some portion of care as well as the changes to billing for surgeon and ICU provider time.  

New rules also allow audio-only telehealth visits for behavioral health as long as the patient wants it and the physician documents it properly.  

Balancing privacy, efficiency, safety, and cybersecurity

Lerner continues to address privacy concerns related to COVID testing and contact tracing. “We were working so hard to limit the spread of the disease in our senior living facilities,” she said. “It was hard to navigate contact tracing and privacy.” Now she is addressing cybersecurity insurance requirements, for her own organization and making sure vendors have sufficient insurance. “Moving to remote workforces and telehealth, the cybersecurity exposure is higher than it’s ever been,” she said. “For instance, people working from home might want to print documents, but we have to keep them from printing PHI at home or mailing things insecurely when someone can’t come pick it up.”  

Managing regulatory change

Lerner said she spends a lot of time looking at regulatory changes to understand their implications to her organization. “It can take us a long time to decide ‘does this apply to us?’ And then figure out what to do with it. Then we have to figure out what to do with that information in bits and pieces. It is certainly a complex, ever-changing universe on that front.” She spoke of Compliance’s key role in knitting together all that information to help the organization act on it and integrate it into daily processes.  

YouCompli sponsored MHA’s 2021 Healthcare Legal Compliance Forum. We provide a complete solution to help healthcare compliance organizations manage regulatory change. Find out more about YouCompli.  

Subscribe to get the latest articles about healthcare regulatory changes.

Man typing on laptop
Request a demo of the YouCompli solution.

Health organizations tackle regulatory change at Mass. conference

The Massachusetts Health and Hospital Association recently convened its Healthcare Legal Compliance Forum to update members on key areas of regulatory change, compliance and enforcement in this late COVID era. 

Current and former law enforcement officials, healthcare compliance practitioners, attorneys and consultants gave a broad view of the priorities, challenges and opportunities facing the Compliance profession.  

Federal and State Enforcement Update 

Featured speakers: Toby R. Unger, Chief of Medicaid Fraud Division, Office of the Massachusetts Attorney General; and Patrick Callahan, Healthcare Fraud Unit, US Attorney’s Office. Moderated by David Schumacher, Partner, Hooper, Lundy & Bookman. 

Unger and Callahan noted that the pandemic shifted the makeup of their case load. It reduced the rate of whistleblower and other fraud complaints, and for Unger at least, abuse cases increased.  

They talked about how health organizations can effectively partner with law enforcement. They generally see the best outcomes when Compliance and Legal teams bring issues to them or work quickly with them to find data and resolve issues. 

And they shared their take on effective Compliance functions. A good Compliance department doesn’t need to be huge with a lot of people and formal processes,” Callahan said. “A good department is one that has a real effect when they ask leadership to make a change. They have a voice that gets leadership’s attention, and they can have questionable practices stopped during an investigation. When they ask to press pause, they are listened to.”  

Read More: State and Federal enforcement agencies anticipating more complex investigations as COVID-era practices emerge

Compliance Officer Roundtable  

Featured speakers:  Craig Bennett, Vice President and Chief Compliance Officer, Boston Medical Center; Rachel Lerner, Esq., General Counsel & Chief Compliance Officer, Director, Center for the Prevention of Elder Abuse and Neglect, Hebrew SeniorLife; Maria Palumbo, Chief Compliance & Privacy Officer, Lawrence General Hospital. Moderated by Larry Vernaglia. 

Bennett, Lerner, and Palumbo shared their experience over nearly two years of pandemic-influenced healthcare compliance. They talked about how they collaborated to manage regulatory change and reinforce their culture of compliance. They also talked about the regulatory changes they are planning for in 2022.  

Lerner said she spends a lot of time looking at regulatory changes to understand their implications to her organization. “It can take us a long time to decide ‘does this apply to us?’ And then figure out what to do with it. Then we have to figure out what to do with that information in bits and pieces. It is certainly a complex, ever-changing universe on that front.” She spoke of Compliance’s key role in knitting together all that information to help the organization act correctly and then integrate it into daily processes. 

Read More: Compliance officers reflect on COVID pivots and preparing for the end of the public health emergency

Telehealth in the Pandemic and Beyond  

Featured speakers: Marcus Hughes, Associate General Counsel, UMass Memorial Health; Meg Cosgrove, Associate General Counsel, Beth Israel Lahey Health. And moderated by Jeremy Sherer, Healthcare Attorney, Hooper, Lundy, & Bookman. 

Hughes and Cosgrove discussed interstate telehealth compliance issues. They talked about the hard adjustments providers have to make as demand for telehealth surges and scrutiny of out-of-state practice increases. They shared ways they are preparing for the regulatory changes that will come with the end of the public health emergency.  

As waivers expire, Compliance officers have to increase their efforts at making sure providers understand licensing requirements and the risk of non-compliance. 

Hughes noted that there is a common belief that there is a national framework for remote care, but actually there isn’t. “Now that we’re in the late stage of the pandemic, we have to educate our staff to dispel some of the myths that are out there. And we have to make sure they know that the COIVD waivers are coming to an end.”  

Read More: Healthcare GCs look at telehealth compliance in the Pandemic and beyond

COVID-19 Hot Compliance Topics  

Featured speaker: Martie Ross, Office Managing Principal, PYA  

Ross covered federal vaccine mandates. unwinding regulatory flexibilities, and provider relief fund audits and enforcement. Her detailed slides are available from PYA here. They provide great insight for Compliance practitioners. 

Ross recommends that you review and track changes to internal policies and practices and establish a process to completely unwind. “As a compliance officer, it’s time to back through your compliance documentation over the past two years and think about how you’re going to unwind from these changes,” she said. 

Read More: Compliance expert Martie Ross explains critical regulatory change management issues facing healthcare in 2022

YouCompli sponsored MHA’s 2021 Healthcare Legal Compliance Forum. We provide a complete solution to help healthcare compliance organizations manage regulatory change. Find out more about YouCompli.  

Subscribe to get the latest articles about healthcare regulatory changes.

Man typing on laptop
Request a demo of the YouCompli solution.

Collaboration Between Compliance and Risk: What is Permissible?

Compliance departments, generally speaking, guide staff and boards of directors to comply with the requirements, laws and regulations that govern the organization’s business. They also monitor for compliance via internal audits.  Risk departments, on the other hand, address ways to mitigate risk to an organization through such activities as the evaluation and purchase of insurance policies.  Given the broad nature of the scope of these two departments within the organization, when is compliance and risk collaboration permissible?

Possible collaborations

  1. Strategic planning: Collaboration here should include not only compliance and risk but the entire organization and the board of directors, if applicable.
  2. Disaster response and business continuity: As with strategic planning, disaster response and business continuity planning should also involve input and collaboration from all departments in the organization.
  3. General security and privacy : Here the compliance/privacy officer, information technology/security officer, and risk management director should all be included in the planning.
  4. Known security threat and/or breach incident: Compliance, information technology (IT), and risk management would all participate in mitigating a security threat or breach incident on the organization. Each would provide input and guidance on their respective areas of knowledge.
  5. Risk assessments, gap analysis and mitigation plans: Again, the development of these plans should include leaders from the entire organization; moreover, compliance and risk would specifically collaborate on the assessment, analysis and mitigation activities.
  6. General policy development: Compliance and risk staff can collaborate and provide feedback and input for all organization policies.
  7. Record and document retention schedule: Here compliance and risk can collaborate with legal counsel to ensure record and document retention policies comply with state and federal laws.
  8. Staff education: This is an area where compliance and risk can collaborate to provide training, whether it is done in person, virtually, by email or via online course.

Collaborations to vet and evaluate permissibility

  1. Security breach: As noted above, compliance, IT, and risk will work together once a security breach has been identified. It is important to ensure compliance addresses HIPAA related information and potential reporting requirements; IT evaluates the technical aspects of the breach; and risk focuses on reporting to the insurance carrier and mitigation strategies in conjunction with compliance and IT. These collaborative activities will usually take place under a breach coach or law firm to protect the confidential nature of the breach.
  2. Shared work areas: Depending on the confidential nature of discussions, say a lawsuit against the organization, it may or may not be appropriate for compliance staff to be privy to such information. So shared work areas should be closely evaluated.
  3. Shared staff: As with shared work areas, if a staff member such as a registered nurse (RN) is shared between the compliance and risk department, both leaders and the RN must remain in the scope of the job role in which they are working at the time.
  4. Reporting to the board: Typically, compliance reports to the organization’s leader (such as a CEO) but also has direct or dotted line reporting to the board of directors. Make sure any collaborations with other departments do not create potential conflicts of interest with reporting up this chain of command.
  5. Committee membership: As with the analysis discussed above, make sure to vet compliance staff member membership on the risk committee and vice versa to avoid any actual or potential conflicts of interest.

Goal

All organizations should work to develop a culture where permissible collaborations between compliance and risk occur. They should also make certain that staff feel comfortable calling the compliance or risk department with potential concerns while ensuring the staff not crossing any lines when it comes to compliance or risk department confidential matters or conflicts of interest.

PRACTICE TIP:

  1. Evaluate opportunities for the compliance department to collaborate with the risk management team, as noted above.
  2. Access youCompli to find resources which address required document and record retention requirements.

Denise Atwood, RN, JD, CPHRM

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

Sign-up to never miss a compliance related article!

Manage your healthcare regulatory change process effectively and efficiently

YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.