Collaboration Between Compliance and Risk: What is Permissible?

Compliance departments, generally speaking, guide staff and boards of directors to comply with the requirements, laws and regulations that govern the organization’s business. They also monitor for compliance via internal audits.  Risk departments, on the other hand, address ways to mitigate risk to an organization through such activities as the evaluation and purchase of insurance policies.  Given the broad nature of the scope of these two departments within the organization, when is compliance and risk collaboration permissible?

Possible collaborations

  1. Strategic planning: Collaboration here should include not only compliance and risk but the entire organization and the board of directors, if applicable.
  2. Disaster response and business continuity: As with strategic planning, disaster response and business continuity planning should also involve input and collaboration from all departments in the organization.
  3. General security and privacy : Here the compliance/privacy officer, information technology/security officer, and risk management director should all be included in the planning.
  4. Known security threat and/or breach incident: Compliance, information technology (IT), and risk management would all participate in mitigating a security threat or breach incident on the organization. Each would provide input and guidance on their respective areas of knowledge.
  5. Risk assessments, gap analysis and mitigation plans: Again, the development of these plans should include leaders from the entire organization; moreover, compliance and risk would specifically collaborate on the assessment, analysis and mitigation activities.
  6. General policy development: Compliance and risk staff can collaborate and provide feedback and input for all organization policies.
  7. Record and document retention schedule: Here compliance and risk can collaborate with legal counsel to ensure record and document retention policies comply with state and federal laws.
  8. Staff education: This is an area where compliance and risk can collaborate to provide training, whether it is done in person, virtually, by email or via online course.

Collaborations to vet and evaluate permissibility

  1. Security breach: As noted above, compliance, IT, and risk will work together once a security breach has been identified. It is important to ensure compliance addresses HIPAA related information and potential reporting requirements; IT evaluates the technical aspects of the breach; and risk focuses on reporting to the insurance carrier and mitigation strategies in conjunction with compliance and IT. These collaborative activities will usually take place under a breach coach or law firm to protect the confidential nature of the breach.
  2. Shared work areas: Depending on the confidential nature of discussions, say a lawsuit against the organization, it may or may not be appropriate for compliance staff to be privy to such information. So shared work areas should be closely evaluated.
  3. Shared staff: As with shared work areas, if a staff member such as a registered nurse (RN) is shared between the compliance and risk department, both leaders and the RN must remain in the scope of the job role in which they are working at the time.
  4. Reporting to the board: Typically, compliance reports to the organization’s leader (such as a CEO) but also has direct or dotted line reporting to the board of directors. Make sure any collaborations with other departments do not create potential conflicts of interest with reporting up this chain of command.
  5. Committee membership: As with the analysis discussed above, make sure to vet compliance staff member membership on the risk committee and vice versa to avoid any actual or potential conflicts of interest.


All organizations should work to develop a culture where permissible collaborations between compliance and risk occur. They should also make certain that staff feel comfortable calling the compliance or risk department with potential concerns while ensuring the staff not crossing any lines when it comes to compliance or risk department confidential matters or conflicts of interest.


  1. Evaluate opportunities for the compliance department to collaborate with the risk management team, as noted above.
  2. Access youCompli to find resources which address required document and record retention requirements.

Denise Atwood, RN, JD, CPHRM

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

Sign-up to never miss a compliance related article!

Manage your healthcare regulatory change process effectively and efficiently

YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.

The New Office of Burden Reduction and Health Informatics: Implications for Healthcare Compliance

You may have heard that, last week, the Centers for Medicare & Medicaid Services (CMS) announced the creation of a new office: the “Office of Burden Reduction and Health Informatics.”

What exactly is this new office supposed to do? According to the press release from CMS, the intent is “to unify the agency’s efforts to reduce regulatory and administrative burden and to further the goal of putting patients first.”

All well and good. But what does that actually mean?

Value-Based Care

Here’s one thing that CMS says clearly. They are “committed to leveraging the significant flexibilities introduced in response to the COVID-19 pandemic as we continue to lead the rapid transformation to value-based healthcare.”

We’ve all been hearing about value-based care for years. (Here’s a piece from 2016, for example.) The pace of change hasn’t been particularly speedy, and the pandemic has disrupted most big transformative plans, especially in healthcare.

That said, the Department of Health and Human Services (HHS) is still committed to value-based care. If reducing or streamlining the regulatory environment is necessary in order to make this change happen, you can bet that HHS and CMS will do it.

What specific regulations will CMS change in order to make this happen? That remains to be seen. Recently, CMS did announce that they will be maintaining at least some of the regulatory changes related to telehealth.

Which ones? We know of one rule change that CMS has announced: the proposed physician fee schedule rule, which should come out in July, will include proposals to permanently expand coverage for telehealth services. As of this writing, the rule has not been published, and CMS has not announced details.

With that exception, however, there hasn’t been a lot of movement on specific regulations that could be helpful. In fact, our observations suggest that most regulators are moving back to business as usual. If CMS has plans to streamline regulations to enable the transformation to value-based care, they are keeping those plans very close to the vest.

Improved Review

However, CMS commits clearly to increasing the number of stakeholders – including clinicians, providers and health plans – that it engages with when assessing the impact of new regulations.

This could be a welcome change for compliance professionals, as a more comprehensive assessment of regulatory impact could result in a regulatory environment that’s a lot easier to work within. Clearer regs with reduced expectations would mean less work required by the clinical and revenue cycle staff in your organization.

And that would mean less time spent following up and trying to get staff to do the work.

Health Informatics

CMS has also committed – as indicated in the second half of the new office’s name – to further implement health informatics. The idea here is to effectively use health data in order to provide better care.

CMS gives this as a specific example: “to create new tools that allow patients to own and carry their personal health data with them seamlessly, privately, and securely throughout the health care system.”

This proposal has obvious advantages for both patients and providers. But it could cause significant headaches for compliance.

Staying in compliance with an EHR system for just one health system is challenging enough. What CMS is proposing is an EHR system that applies across all Medicare and Medicaid beneficiaries. This would be much more complicated! The HIPAA implications alone could be staggering.

So, the use of health informatics could make the work of compliance much more challenging. We can all expect that there will be more data available and being used, and more complex tools to manage it. This trend exists across almost all industries, and healthcare is not going to be an exception.

In a highly regulated environment like healthcare, however, big data and big data tools will need to be monitored very carefully. There are a lot of ways that data tools could violate regulatory requirements. If compliance professionals aren’t careful, software and other tools could be put in place that expose the organization to high levels of risk.

Staying Up to Date

As of this writing, there is limited information as to what the Office of Burden Reduction and Health Informatics will be doing for the US healthcare system. It has a broad mandate, with unclear specifics.

There is a possibility that the office will make compliance easier, by more effectively assessing the impact of regulations before imposing them. There is also a (stronger) possibility that it may make compliance more challenging, by creating wide-ranging technological systems that compliance officers will need to monitor carefully.

As new regulations are issued, and new announcements are made, we’ll be keeping you updated. youCompli customers always have access to the latest regulatory changes as they come out and will be well-positioned to adapt to the environment created by his new office.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Not All COVID-19 Regulations Are Created Equal

You’re struggling to keep up with all the regulatory changes that COVID-19 has created.

Many of these changes have been short and straightforward… but not all of them.

After analyzing one CMS reg (85 FR 27550), we created a 19-page policy document!

The reg’s primary purpose expanded the range of practitioners who can order — and thus be compensated by Medicare and Medicaid — home health services. It also covers a wide range of other revisions for testing, telehealth, medical equipment, and so on.

Our system broke the regulation down into its core requirements — that is, the pieces of the reg that healthcare compliance and clinical professionals need to know about. Then it was reassembled into this document and placed in an order that makes sense.

You can view the whole document by clicking this link.

Every change to a previous procedure is highlighted in red, and it includes hyperlinks to skip around.

Everything is written in clear language, so it’s easy to follow and implement.

Want us to do the same for your organization and the regulations you’re managing? Set up a quick meeting here and let’s get started.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Understanding and Managing the HIPAA Security Rule

Protecting the privacy of patients is of paramount concern to healthcare organizations today. Data breaches and/or hacking attempts are happening more frequently. Regulatory requirements are constantly changing. And the pace of technology innovations keeps increasing. The penalties, both financial and reputational, can be disastrous for any organization — and its compliance team — that is not prepared and in the know at all times

For example, recently a healthcare institution mailed hundreds of patient statements, containing names, account numbers and payments due, to wrong addresses. The organization believed that, for most of these statements, this was not a reportable breach, because there was no patient diagnosis, treatment information, or other medical information listed.

This was not correct. And the failure to understand the rule and its nuances resulted in a $2 million settlement.

The HIPAA Security Rule is the hedge against that kind of disaster  —  so grasping its complexity is crucial.

The regulations that comprise the Security Rule are often the most difficult to understand and implement, as every security compliance measure must be carefully monitored and reported. Not only are all healthcare organizations required to meet the standards and legal requirements in the Security Rule, there can also be implementation specifications which include provide detailed instructions and steps needed for compliance.

From an administrative perspective, HIPAA requires a documented framework of policies and procedures. These policies and procedures detail exactly what your organization does to protect key information. For example, policies can outline the requirements for training for all employees, including those who do and do not have direct access to vital patient information.

The documents that outline the policy and procedure framework must be retained for at least six years (although state requirements may mandate longer retention periods). As policies change, so must your accompanying documentation. And to further ensure your compliance, periodic reviews of policies and responses to changes in the electronic patient health information environment are also recommended.

From a security perspective, HIPAA requires a comprehensive evaluation of the security risks your organization faces, as well as the electronic health record technologies your organization uses.  This includes a combination of physical safeguards — such as IT infrastructure, computer systems and security monitoring systems — and technical safeguards — such as risk management software, healthcare management software or regulatory software. These safeguards are designed to both protect patient information and control access to it.

Fortunately, the Security Rule allows for scalability, flexibility and generalization. This means that smaller organizations are given greater latitude in comparison to larger organizations that have significantly more resources. HIPAA’s security requirements are also not linked to specific technologies or products, since both can change rapidly. Instead, requirements focus more on what needs to be done and when, and less on how it should be accomplished.

Managing the complexity of the HIPAA Security Rule can be easier. At youCompli, we help you identify, document and monitor your critical HIPAA information. We understand the time and resource constraints that compliance officers operate under — the need for quickly collecting and accessing quality data and reporting it. Our solutions enable you to remain up-to-date with healthcare regulations — what they mean and how to implement them with precision accuracy in cost-efficient and effective ways. Contact us for more information on how to approach and implement the Security Rule and remain in compliance.

Michigan’s Massive Licensing Reg – Processed, Translated and Defined

We process a lot of regulatory changes in the course of business, across both the state and federal landscape. Usually, the more voluminous changes come from the federal level — but a recent new state regulation from Michigan really stood out.

At over 50 pages, titled “Licensing for Health Facilities or Agencies”, it is one of the longer state regulations that has come through our process. The average state document tends to be a couple of pages long and is often simply an amendment to existing rules. This Michigan reg bucks the norm — which just goes to show that, even in the face of a global pandemic, the regulatory world keeps turning.

Essentially, this new reg creates a whole new 10-part set of rules. While the overall regulation involves licensing for facilities, the parts involved touch a wide variety of areas and departments within a healthcare organization. Administrative and patient records, HR, facility maintenance and upkeep, patient rights, security, and outpatient surgical facilities — you name it, this regulation applies to it.

Our expert team broke the regulation down into 9 requirements, written in easy-to-understand terms, to clearly define how the regulation impacts hospitals and what needs to be done to comply. Breaking down a large regulation this way allows us to:

  1. Pinpoint the individual areas of an organization being affected,
  2. Tune in to specific issues involved with each functional area of an organization, and
  3. Ensure an easy-to-understand business requirement is the result.

From 50 pages to 9 clear business requirements, each directed at a particular area of the hospital. No need for any youCompli customer to read this monster regulation — once you log in to the system, we’ll take you through what you need to know, and what steps you need to take to comply.

Want us to do the same for your organization and the regulations you’re managing? Set up a quick meeting here and let’s get started.