Collaboration Between Compliance and Risk: What is Permissible?

Compliance departments, generally speaking, guide staff and boards of directors to comply with the requirements, laws and regulations that govern the organization’s business. They also monitor for compliance via internal audits.  Risk departments, on the other hand, address ways to mitigate risk to an organization through such activities as the evaluation and purchase of insurance policies.  Given the broad nature of the scope of these two departments within the organization, when is compliance and risk collaboration permissible?

Possible collaborations

  1. Strategic planning: Collaboration here should include not only compliance and risk but the entire organization and the board of directors, if applicable.
  2. Disaster response and business continuity: As with strategic planning, disaster response and business continuity planning should also involve input and collaboration from all departments in the organization.
  3. General security and privacy : Here the compliance/privacy officer, information technology/security officer, and risk management director should all be included in the planning.
  4. Known security threat and/or breach incident: Compliance, information technology (IT), and risk management would all participate in mitigating a security threat or breach incident on the organization. Each would provide input and guidance on their respective areas of knowledge.
  5. Risk assessments, gap analysis and mitigation plans: Again, the development of these plans should include leaders from the entire organization; moreover, compliance and risk would specifically collaborate on the assessment, analysis and mitigation activities.
  6. General policy development: Compliance and risk staff can collaborate and provide feedback and input for all organization policies.
  7. Record and document retention schedule: Here compliance and risk can collaborate with legal counsel to ensure record and document retention policies comply with state and federal laws.
  8. Staff education: This is an area where compliance and risk can collaborate to provide training, whether it is done in person, virtually, by email or via online course.

Collaborations to vet and evaluate permissibility

  1. Security breach: As noted above, compliance, IT, and risk will work together once a security breach has been identified. It is important to ensure compliance addresses HIPAA related information and potential reporting requirements; IT evaluates the technical aspects of the breach; and risk focuses on reporting to the insurance carrier and mitigation strategies in conjunction with compliance and IT. These collaborative activities will usually take place under a breach coach or law firm to protect the confidential nature of the breach.
  2. Shared work areas: Depending on the confidential nature of discussions, say a lawsuit against the organization, it may or may not be appropriate for compliance staff to be privy to such information. So shared work areas should be closely evaluated.
  3. Shared staff: As with shared work areas, if a staff member such as a registered nurse (RN) is shared between the compliance and risk department, both leaders and the RN must remain in the scope of the job role in which they are working at the time.
  4. Reporting to the board: Typically, compliance reports to the organization’s leader (such as a CEO) but also has direct or dotted line reporting to the board of directors. Make sure any collaborations with other departments do not create potential conflicts of interest with reporting up this chain of command.
  5. Committee membership: As with the analysis discussed above, make sure to vet compliance staff member membership on the risk committee and vice versa to avoid any actual or potential conflicts of interest.

Goal

All organizations should work to develop a culture where permissible collaborations between compliance and risk occur. They should also make certain that staff feel comfortable calling the compliance or risk department with potential concerns while ensuring the staff not crossing any lines when it comes to compliance or risk department confidential matters or conflicts of interest.

PRACTICE TIP:

  1. Evaluate opportunities for the compliance department to collaborate with the risk management team, as noted above.
  2. Access youCompli to find resources which address required document and record retention requirements.

Denise Atwood, RN, JD, CPHRM

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

Sign-up to never miss a compliance related article!

Manage your healthcare regulatory change process effectively and efficiently

YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.

CAN MORAL REBELS ASSIST WITH ORGANIZATION COMPLIANCE?

I recently heard the term “moral rebel” while listening to an SCCE Compliance Perspectives podcast.  This piqued my curiosity because I wanted to know if a moral rebel was perceived as a positive.  In the podcast, Amherst College Professor Catherine Sanderson explained that a moral rebel feels comfortable standing up to a crowd and will call out bad behavior. Similarly, Scott A McGreal in Psychology Today wrote moral rebels have a strong sense of moral identity and are more likely to act morally under pressure.  Politics aside, I think we could use more moral rebels right now, especially in our compliance departments.  So, how can moral rebels assist our organizations with compliance? Let’s look at a hypothetical case scenario to find out…

Case Scenario – Chaperone policy

Your organization has chaperone policy which requires a chaperone to accompany the provider and patient for any sensitive examinations involving the genitalia, rectum, groin, buttocks or breasts.  The policy states the chaperone may be a nurse or medical assistant.

From a compliance and risk perspective, the policy has been implemented to protect the patient, the provider and the organization from potential allegations of inappropriate touching.  Education should be done with the providers to ensure the policy is followed regardless of patient and provider gender.  The policy is written this way because the anatomical gender may not reflect the gender a patient ascribes to, relates to, or identifies as.

If a sensitive examination needs to be performed, a chaperone must be present during the examination and their name should be documented in the visit note. If, however, after being educated about the need for a chaperone during the sensitive examination the patient declines a chaperone, this should be witnessed by the provider and another staff member and documented in the visit note by the provider including the name of the staff member who witness chaperon declination.

Potential non-compliance with the chaperone policy

Jesse is a medical assistant who works in a pediatric and adolescent clinic.  Jesse observes a provider who identifies as male take a patient who identifies as female into an examination room alone.  Since Jesse prepped the patient’s chart the night before, Jesse knows the patient is here for abdominal cramps and irregular menstrual bleeding.  Moreover, Jesse prepared the exam room to ensure the provider had a speculum and gel available for a vaginal exam.  During the patient’s visit, Jesse is never called into the room.  While accompanying another patient to the lab for a blood draw, Jesse sees the female patient checking out at the front desk. Jesse wonders who chaperoned the patient’s visit because the only other medical assistant is on lunch break.

Ability to stand up / come forward

In the case scenario above, Jesse would be deemed a moral rebel by speaking up and confirming whether the chaperone policy was followed by the provider.  If uncomfortable discussing with the provider directly, Jesse may report concerns to the nurse manager for follow up. In an organization where moral rebels are valued the nurse manager would support a culture where moral rebels are not afraid to come forward if organization policies are not being followed or there was potential harm to a patient or another staff member.  Moreover, the nurse manager and compliance would ensure there was no retaliation against Jesse.

PRACTICE TIP:

  1. Educate staff on policies, such as the chaperone policy, and then monitor compliance with that policy.
  2. Foster an environment for moral rebels – individuals who are driven by morals to do the right thing – to bring potential issues to the attention of leadership or compliance without fear of retaliation.
  3. Utilize youCompli to ensure you are up to date on laws, regulations, and reporting related to required compliance policies, such as a chaperone policy.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

Weaknesses in Internal Controls: How to Manage and Mitigate Vulnerabilities

weaknesses internal controls

Revised September 2022

Risk in US Healthcare

It is incredibly difficult to turn off “work brain” after the day is done.  Thoughts and questions keep creeping in during off work time, personal time.   

For example, did I send the new state law privacy requirements to our IT security team to review? Are the staff following and appropriately documenting for telehealth reimbursement?  Or what should be my priorities on Monday morning? These questions all represent potential weaknesses in internal controls.  Let’s explore what can be done to mitigate or decrease any vulnerabilities. 

It is important to have appropriate internal controls supported by open communication between colleagues, and forthright reporting to both compliance and risk departments in an organization. 

Since organizations are still run by humans, there remains the potential that one human sets up a call to discuss a topic (like a regulatory change), and inadvertently forgets to invite all the other humans affected by the change. Having a process in place where an employee discusses a need to meet with his or her supervisor can help ensure you’ve got the right humans at the table.  

Internal controls must also be communicated to the staff so they can adhere to the organization’s expectations and policies. This is where education, early and often, that includes the why behind the internal control, can provide the best results to reducing any vulnerabilities. 

Top Areas of Risk

Top areas of risk to a healthcare organization include weaknesses or vulnerabilities in security, documentation, operations, and staff performance.  Let’s consider the following: 

  • The risk focus for organizational security typically includes areas like information technology (IT) and physical buildings. Cybersecurity data leaks or active shooters are examples of each.  
  • Incomplete, non-existent, or fraudulent medical record documentation is another large risk for health care organizations. 
  • Lack of clear policies, procedures, or protocols (PPPs) present huge risks to the organization as employees may act in a way which is not in compliance with PPPs. 
  • And finally, human error, even if unintentional, can present costly risks to the organization, such as a Stark law violation. Both the strongest and the weakest internal control for health care organizations involves the staff.  Take cybersecurity: many data leaks come from staff clicking on the wrong link or attachment and letting the “bad guys in” to the network. The same is true when an employee lets someone in the building on their badge scan rather than making them badge in themselves.  

Mitigate Risks

Risk mitigation is an organizational strategy to prevent or decrease the impact of mistakes or unanticipated outcomes when they occur.  One strategy is to implement organizational controls, such as PPPs along with checklists and tools, to either prevent or decrease organizational risks. 

  • A primary and effective way to mitigate risks to the organization is to empower the employees with knowledge. Don’t just have employees complete compliance and risk education online.  Go out and meet the staff and answer their questions in real time!  Or encourage them to call or email their questions and provide timely follow up. 
  • Risk and compliance departments should foster a culture of early reporting by staff when there is a mistake or unanticipated outcome or a deviation from the PPPs. When a staff member makes a report, it is important to document the facts while remaining objective and non-judgmental. (Related: Read Brian Kozik’s story of changing the consequence structure to support a safe to speak up culture) 
  • Ensure you have a usable system to track internal control weaknesses to manage and mitigate vulnerabilities. Whether this is a manual process or is done through an IT application, make sure you consistently use the internal controls to evaluate and mitigate risks because they change – frequently. 
  • Review, or if you don’t have them, develop cybersecurity and business continuity plans. These plans should be living documents that are used regularly and revised at least every two years, to ensure compliance and risk topics are current and mitigated.  These plans should not just be a book on the shelf or a file on a computer. The risk focus for these plans should include tools to monitor both IT and the physical building risks. 
  • Commit to being a leader when it comes to promoting an open culture for reporting weaknesses, or breaks, in internal controls so early mitigation strategies can be implemented. 

Proactively setting internal controls helps you and your colleagues address mistakes and errors when they inevitably do happen.  While there is no failsafe way to ensure 100% compliance with internal controls, or that all employees will do the right thing every time, you’ll be better positioned when staff are educated and equipped to comply with regulations and do the right thing.  And in organizations that have an open culture of reporting, both the risk and compliance teams will be aware of the internal control weaknesses so they can implement mitigation strategies early on. 

Strong internal controls are critical to effective regulatory change management. YouCompli can enable your collaboration with compliance champions and free your time to focus on relationships and communications. Take a look at our regulatory change management solution today.  

Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.

Never Miss a Compliance Related Article

Get a 15-minute strategic overview of YouCompli

Earning the Gold Seal of Approval from the Joint Commission

Revised September 2022

Complying with the latest regulations will always be a critical priority for healthcare compliance professionals. But earning approval from The Joint Commission, the recognized global leader for health care accreditation, is growing in importance across healthcare organizations, including hospitals, physician group practices, surgery centers, and other treatment facilities. 

This accreditation, known as The Gold Seal of Approval®, acknowledges an organization’s dedication to providing quality care and services to patients. Some states require health care organizations to be accredited by the Commission in order to participate in particular insurance programs.  

If a healthcare organization is accredited by The Joint Commission, it may be deemed to exceed Centers for Medicare and Medicaid (CMS) requirements, along with state law requirements. Additionally, with the public’s attention increasingly focused on becoming informed consumers, earning accreditation also offers organizations a competitive edge.   

Meet the Joint Commission 

The Joint Commission is an independent, not-for-profit organization based in Illinois. Founded more than 65 years ago, the Commission provides an unbiased assessment of a health care organization’s quality achievements in patient care and safety. 

It offers the following accreditation programs: 

  • Ambulatory Care Accreditation 
  • Behavioral Health Care Accreditation 
  • Critical Access Hospital Accreditation 
  • Home Care Accreditation 
  • Hospital Accreditation 
  • Laboratory Services Accreditation 
  • Nursing Care Center Accreditation 
  • Office-Based Surgery Accreditation 

In addition, The Joint Commission offers 20 different certifications for a variety of clinical programs and services. 

Understand the Accreditation Process 

The Commission’s standards set expectations for an organization’s performance that are reasonable, achievable, and measurable. Its on-site surveys are rigorous and are customized for each organization and its efforts to improve patient outcomes. And the start of a survey is usually unannounced. 

During an on-site survey, Commission surveyors perform their evaluation by: 

  1. Tracing the care delivered to patients, residents, or individuals served 
  1. Reviewing the information and documentation provided by the organization 
  1. Observing and interviewing staff and, when appropriate, patients 

The Commission provides a Summary of Survey Findings Report at the conclusion of the on-site survey, with a final accreditation decision made at a later date. Surveyors could recommend: 

  1. Preliminary accreditation 
  1. Accreditation 
  1. Accreditation with follow-up survey 
  1. Preliminary denial of accreditation 
  1. Denial of accreditation 

An organization’s accreditation is continuous as long as it has a full, unannounced survey within 36 months of the previous survey and it meets all accreditation-related requirements. 

Benefits from Accreditation 

The Gold Seal of Approval is a way to let medical professionals, government regulators, and patients know that an organization stands for quality care, and that it’s always seeking ways to identify known or unknown risks to patient safety. 

For example, healthcare organizations that want to participate in Medicare have to be certified to have met specific CMS quality-related standards. If the organization is accredited by The Joint Commission, CMS will have deemed the entity to have met or exceeded these requirements. That means the organization is not subject to Medicare’s survey and certification process because it has already gone through the Commission’s survey process. 

Additionally, being Commission-accredited may allow the organization to be exempt from meeting state law survey or quality or requirements. Here you want to be sure and check your state laws to see if they exempt entities accredited by The Joint Commission. 

In what other ways can an organization benefit from Joint Commission accreditation? 

  • It can earn various Joint Commission certifications for continued improvement and maintaining performance excellence 
  • It can connect with other like-minded organizations to collaborate on issues affecting the quality and safety of patient care 
  • It can attract more qualified personnel who prefer to serve in a prestigious environment 

Earning Accreditation Means Maintaining Compliance 

Earning the Joint Commission’s Gold Seal of Approval depends on a strong culture of compliance. Organizations that are challenged to manage compliance, or effectively demonstrate compliance, are unlikely to meet the Joint Commission’s rigorous standards. (Read more about Compliance Culture on the YouCompli blog.) 

A culture of compliance is a commitment throughout all levels of an organization to do the right thing and do things right.  When an organization has a strong culture of compliance, there is a spillover effect to obtaining and maintaining Commission accreditation.  Employees see their leaders ensuring the organization is maintaining compliance with elevated standards. Additionally, they see their leaders making business decisions based on organizational policy requirements.  The end result is actions being taken that demonstrate leading by example and modeling that behavior to employees. 

The Gold Seal of Approval accreditation is an important acknowledgment of an organization’s dedication to providing quality care and services to patients. The effort to earn this accreditation is certainly significant, but the payoff in terms of reputation, recruiting and deeming status is worth the effort. Not only that, the process of earning accreditation can help you uncover opportunities to further shape your culture of compliance so that a mindset of always doing the right thing permeates all levels of your organization. All of that is good for the long-term health of your business – and your patients.  

The accreditation process requires significant metrics to demonstrate the effectiveness of your compliance program, YouCompli can help you verify that you took the proper steps to comply with the regulations that apply to you. Find out how.  

Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.

Never Miss a Compliance Related Article

Regulatory Rolodex

You’re responsible for creating and maintaining a culture of compliance in your organization.  You need to embed compliance into everyday workflows and set expectations for individual behavior across your organization.

This is impossible if you don’t know who the right people are in each area of your organization.

What you need is a Regulatory Rolodex©, youCompli has one and you can have it for FREE.

We use this tool to identify and track 2 different types of individuals in each area of your organization.

  • The person responsible for doing regulatory change work
  • The person responsible for higher-level oversight to ensure the regulatory work gets done

youCompli delivers new regulatory requirements to both types of people (and to the compliance department) inside our software.  This allows the compliance department to have complete visibility into the whole compliance process.

To get your free copy of the Regulatory Rolodex© provide the info below and we’ll send it to you.

[email-download-link namefield=”YES” id=”2″]

Interested in seeing how youCompli automates the whole regulatory compliance process?

Attend our 10-minute demo, click the link and select a date and time that is convenient for you.

10-minute demo

“All Rights Reserved”

Innovation is Hot at HCCA Compliance Institute

The hot topic this year at the Health Care Compliance Association’s Compliance Institute, is innovation. Speakers who begin talking about anything from ethics and culture to the latest news, all seem to make their way to the role innovation plays at every level. And we agree. Compliance Best Practices Include Finding Innovative Solutions In fact, […]

Continue reading

youCompli Team Heads to Compliance Institute

  The youCompli team is looking forward to heading to Boston for the HCAA’s Compliance Institute from April 7-10. The HCAA calls this event the single most comprehensive healthcare compliance conference. That’s why we think it’s a terrific chance to learn more from our colleagues in specialties such as Healthcare Reform, Hospital Physician Alignment, and […]

Continue reading

Do You Have the 4 Core Elements of an Emergency Preparedness Program?

four core elements of emergency preparedness

Revised February 2023 Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers Final Rule  (Check out our latest update on emergency preparedness, based on the 2019 final rule.) The motto of the Boy Scouts is Be Prepared. As of 2016, that motto applies to healthcare emergency preparedness, too.  Hurricanes Katrina and Sandy wreaked havoc […]

Continue reading