Telehealth compliance considerations: looking ahead

Telehealth seems to be here to stay, even as the Coronavirus pandemic begins to recede in the United States. It’s a good time for healthcare institutions to make sure their telehealth practices hold up outside of emergency circumstances. 

From a compliance perspective, that means  patient privacy and technology, valid consent for treatment, visits with minors, and interstate care.    

 

Patient privacy in telehealth

Patient privacy is just as important in telehealth as it is for in-person visits. This includes ensuring the provider conducts visits in a private space and documenting the visit in a secure medical record.   

During the Coronavirus national public health emergency, the federal government has some enforcement discretion with telehealth. Regulators can choose not to impose penalties for Health Insurance Portability and Accountability Act (HIPAA) violations if they see that a provider took precautions to protect patient privacy provider. Good faith might mean using a platform like Microsoft Teams, Zoom, or WebEx and patient-specific passcodes – and still having a privacy breach. In a case like this, the regulator has the discretion not to impose fines under HIPAA. 

 

Consents and visits with minors 

Developing a process to obtain consent to treat before the first visit can help you comply with consent requirements. This may include mailing or securely emailing the consent to the patient (or parent or legal guardian) the week before the telehealth visit and having the patient send it back.  This gives the provider time to answer the patient’s questions about consent for treatment.   

For urgent telehealth visit, make sure there are policies in place to address telephone/verbal consent or to obtain two provider consents.  If your system allows, you may be able to electronically send the consent. The patient can sign it online so you can add it to the electronic health record.  

Whatever method to obtain consent your organization chooses, ensure there is a policy addressing the proper procedure and educate the team on the policy.   

For telehealth visits with minors, try to follow the same process as for in-person visits. That means you should obtain the consent to treat and have it signed by a parent or legal guardian.  Then have the parent or legal guardian attends the telehealth visit with the minor patient.  This way diagnosis, care, and treatment plan can be discussed with the patient and the parent or legal guardian at the same time.  

 

Crossing state lines for telehealth

Things to consider if the patient and provider are not conducting the telehealth visit in the same state: 

  • Licensing: Some state licensing boards have reciprocity. Some may not require an additional license in compact states while others may require a temporary or actual license to provide care in that state. This often applies to care provided via telehealth. 
  • Prescriptions: Can you prescribe across state lines? Avoid compliance issues by sending the prescription to a pharmacy in the provider’s “home” state. Then have the patient request a pharmacy-to-pharmacy transfer of the prescription. 
  • Your insurance: Does your medical professional liability (MPL) insurance provide coverage if you are out of state? How about if the patient is located outside your “home” state? Contact your MPL insurer to be certain you have coverage in the event of an out of state lawsuit. 
  • The patient’s insurance: What will the patient’s insurance cover for visits conducted out of the patient’s “home” state?  Be sure to verify this before the patient’s telehealth visit to ensure proper billing and reimbursement for the visit and to decrease billing denials.   

Considerations for adding telehealth as a service line 

There are resources available for organizations considering adding telehealth as a permanent service line. YouCompli can help you understand which regulations apply to you, stay on top of changes, and manage implementation.  

You can also find many free resources online:  

For many types of visits, patients love the option of telehealth. As providers work to be sure that they continue to deliver quality care, Compliance teams have an equally big job to be sure the systems and processes are in place to support that experience. 

Keep on top of regulations affecting telehealth and making sure those regulations are translated into policies and procedures that affect patient care. YouCompli customers have access to notifications about changes to regulations, resources to inform policy and procedure updates, and tools to track compliance. Contact us today to learn more. 

Denise Atwood, RN, JD, CPHRM is the Chief Risk Officer at District Medical Group (DMG), Inc., vice president of DMG Insurance Company (DMGIC), and owner Denise Atwood, PLLC.   

Disclaimer: The opinions expressed in this blog are the author’s and do not represent the opinions of DMG. 


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


Collaboration Between Compliance and Risk: What is Permissible?

Compliance departments, generally speaking, guide staff and boards of directors to comply with the requirements, laws and regulations that govern the organization’s business. They also monitor for compliance via internal audits.  Risk departments, on the other hand, address ways to mitigate risk to an organization through such activities as the evaluation and purchase of insurance policies.  Given the broad nature of the scope of these two departments within the organization, when is compliance and risk collaboration permissible?

Possible collaborations

  1. Strategic planning: Collaboration here should include not only compliance and risk but the entire organization and the board of directors, if applicable.
  2. Disaster response and business continuity: As with strategic planning, disaster response and business continuity planning should also involve input and collaboration from all departments in the organization.
  3. General security and privacy : Here the compliance/privacy officer, information technology/security officer, and risk management director should all be included in the planning.
  4. Known security threat and/or breach incident: Compliance, information technology (IT), and risk management would all participate in mitigating a security threat or breach incident on the organization. Each would provide input and guidance on their respective areas of knowledge.
  5. Risk assessments, gap analysis and mitigation plans: Again, the development of these plans should include leaders from the entire organization; moreover, compliance and risk would specifically collaborate on the assessment, analysis and mitigation activities.
  6. General policy development: Compliance and risk staff can collaborate and provide feedback and input for all organization policies.
  7. Record and document retention schedule: Here compliance and risk can collaborate with legal counsel to ensure record and document retention policies comply with state and federal laws.
  8. Staff education: This is an area where compliance and risk can collaborate to provide training, whether it is done in person, virtually, by email or via online course.

Collaborations to vet and evaluate permissibility

  1. Security breach: As noted above, compliance, IT, and risk will work together once a security breach has been identified. It is important to ensure compliance addresses HIPAA related information and potential reporting requirements; IT evaluates the technical aspects of the breach; and risk focuses on reporting to the insurance carrier and mitigation strategies in conjunction with compliance and IT. These collaborative activities will usually take place under a breach coach or law firm to protect the confidential nature of the breach.
  2. Shared work areas: Depending on the confidential nature of discussions, say a lawsuit against the organization, it may or may not be appropriate for compliance staff to be privy to such information. So shared work areas should be closely evaluated.
  3. Shared staff: As with shared work areas, if a staff member such as a registered nurse (RN) is shared between the compliance and risk department, both leaders and the RN must remain in the scope of the job role in which they are working at the time.
  4. Reporting to the board: Typically, compliance reports to the organization’s leader (such as a CEO) but also has direct or dotted line reporting to the board of directors. Make sure any collaborations with other departments do not create potential conflicts of interest with reporting up this chain of command.
  5. Committee membership: As with the analysis discussed above, make sure to vet compliance staff member membership on the risk committee and vice versa to avoid any actual or potential conflicts of interest.

Goal

All organizations should work to develop a culture where permissible collaborations between compliance and risk occur. They should also make certain that staff feel comfortable calling the compliance or risk department with potential concerns while ensuring the staff not crossing any lines when it comes to compliance or risk department confidential matters or conflicts of interest.

PRACTICE TIP:

  1. Evaluate opportunities for the compliance department to collaborate with the risk management team, as noted above.
  2. Access youCompli to find resources which address required document and record retention requirements.

Denise Atwood, RN, JD, CPHRM

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


Sign-up to never miss a compliance related article!


Manage your healthcare regulatory change process effectively and efficiently

YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.

The Pandemic Is No Excuse: Enforcement Actions Taken by the Office for Civil Rights

We’ve known that enforcement actions were going to pick up again, even though many regulations are still waived or modified during the public health emergency. In the past few months, several decisions have been rendered by the Office for Civil Rights (OCR) which prove the point. Hospitals and other healthcare organizations need remain cautious and cognizant of exactly which regulations are being enforced, and make sure that existing procedures and policies are being followed. 

Religious Rights 

For exampleOCR resolved a complaint against Prince George’s Hospital Center of the University of Maryland Medical System (UMMS). The complaint was raised by a woman who wanted to have a priest attend her critically injured husband during the pandemic. Despite the priest’s willingness to wear any necessary personal protective equipment (PPE), he was refused entry. UMMS implemented a new policy guaranteeing “adequate and lawful access to chaplains or clergy” in order to resolve the complaint. 

second religiously-based complaint was also resolved recently by OCR. In this complaint, filed by a civil rights group, a medical student at Staten Island University Hospital (SIUH) in New York City was ordered to shave his beard, which he kept for religious reasons. The hospital stated that this was in order to ensure his N95 respirator mask had a tight seal around his nose and mouth, even though he had passed a fit test. In resolving the complaint, SIUH provided the student with a Powered Air Purifying Respirator (PAPR) as a religious accommodation. 

Privacy 

OCR also recently resolved a HIPAA-based complaintLifespan Health System Affiliated Covered Entity (Lifespan ACE) in Rhode Island agreed to pay OCR $1,040,000 and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptopNot only did the laptop contain electronic protected health information (ePHI) for 20,431 individuals, OCR found systemic noncompliance with HIPAAincluding lack of encryption on laptops and a lack of device and media controls. 

A Warning for Compliance 

All these enforcement actions took place during the COVID-19 pandemic. The presence of the pandemic is not being taken as a reason for not proceeding with enforcement action. Compliance professionals need to be very aware of what regulations still apply, and how their organizations are continuing to stay within the scope of existing regulations. 

See YouCompli in Action

Easier, faster, more effective compliance is possible

Improving Your Reputation: How to Help Your Healthcare Organization See the Compliance Department in a Positive Light

When the compliance team visits another department, staff responses are usually the same: we must have done something wrong.

This isn’t the response that you want. The compliance department and staff should be seen as approachable, working in a collaborative fashion to make the organization more successful. If the compliance department only comes in to run audits and give “constructive” feedback, then compliance will quickly become known for negativity and criticism.

Collaboration

It is important to collaborate with other departments and incorporate a holistic organizational approach. This means valuing what other team members have to offer with regards to compliance in the organization. It can be easy for compliance professionals to make black or white statements regarding compliance with a specific regulation or policy. After all, it’s there in writing — in black and white.

But, other teams can sometimes bring to light another perspective. There may be gray areas in the written requirements or overall process and addressing these could benefit the organization without compromising compliance.

Or, compliance professionals could demonstrate openness to evaluating how requirements and regulations are impacting specific operational workflows. For example, when evaluating a compliance process for telehealth visits related to obtaining consent, the operations leader should be given an opportunity to work with compliance in developing the process.

In-Person Education

One approach to improving collaboration with other departments is to conduct in-person education and question and answer (Q&A) sessions. Ask all department leaders if you can have ten (but no more than fifteen) minutes at their next staff meeting to introduce the compliance team and to solicit compliance-related topics and questions. Before the meeting, make sure to get the department leader to provide two to three compliance-related topics that would be of interest to their team. Prepare a short slide presentation to use in the meeting — typically, one slide per topic and one Q&A slide at the end.

During the meeting, make sure to leave at least five minutes for compliance Q&A. Listen to the staff questions and solicit information on challenges or knowledge gaps related to compliance, so follow up can be done with the that department or team.

Follow-Up Education

Follow up should be timely (within three to four weeks) and can be done a few different ways: short videos, posts on the internal intranet or website, email education, or additional in-person follow up education. There are several excellent (and free) applications available online where you can create short, two- to three-minute compliance videos that can then be distributed to staff.

Follow-up education could also be done by email if the topic and question and answer lends itself to an email response. For example, if staff ask a question about HIPAA’s application to texts or emails, it would be fairly easy to find a one-page summary on the application of HIPAA to texts and emails and attach that to an email.

Volunteers

Another way to improve collaboration would be to have compliance staff volunteer to participate in organization committees not directly related to compliance. For example, compliance professionals could join the policy committee or the activities committee. In this way, the compliance team can develop positive relationships with others in the organization, in an open and approachable way.

Practice Tip:

  1. Reach out to at least 3-4 departments before the end of the year to schedule and conduct in-person meet and greets with a focus on compliance education.
  2. Utilize services such as youCompli to stay current on compliance topics and regulations to present during your meet and greet meetings.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


See YouCompli in Action

Easier, faster, more effective compliance is possible

How Do We Modernize Compliance?

Times change and compliance, like all businesses and business operations, needs processes that keep up. However, there are a lot of challenges that we as compliance professionals face when it comes to modernizing our practice. Modernizing compliance means adapting or incorporating requirements, adherence methods and technology to align with current times or requirements.

For example, this could mean learning to effectively audit electronic, instead of paper, health records. Many compliance professionals have also had to adapt to working with a remote workforce, such as billing and coding professionals, as formerly onsite staff have been transitioned out, in favor of a contracted workforce for a third-party company.

With these, and many other, challenges in mind, how do we proactively modernize compliance?

Enterprise Risk Management Planning

One way is to ensure compliance is part of the organization’s enterprise risk management (ERM) plan and business strategy. It is commonly, but incorrectly, believed that an ERM plan only involves the risk management department. An effective and comprehensive ERM plan has to include human capital, operational, financial and strategic domains, as well as addressing legal, regulatory and compliance related domains and issues.

For example, HIPAA or cyber breaches involving PII or PHI can have significant risk to the organization, including reputational, regulatory and financial consequences. Evaluating these compliance-related risks should be part of the ERM planning process, as should the development of strategies in the ERM to mitigate or manage these risks.

Compliance and Education Plans

Another way to modernize compliance is to ensure compliance and education plans are informative, yet easy to understand and follow. Gone are the days where the compliance plan can be over 30 pages long and written in a dense format with little white space. Let’s be honest: other than people in the compliance department, most employees won’t read a 30-page regulatory document which consists of nothing but text.

Compliance Plan

The compliance plan should be developed and laid out in an easy to read format. Graphs and other graphical elements should be included to aid in engagement and learning. And, when including the regulatory language, also include a clear, concrete example of how that applies to the employee.

For example, we all know that HIPAA requires staff to maintain patient privacy. While at work, this includes conversations — so we should not be discussing patients or patient information with co-workers in the elevator or bathroom. Similarly, if a person calls asking about a patient, staff must check the registration or admission system to ensure the patient wants their admission shared with callers or visitors.

If you really want your employees to follow the compliance plan, then craft it with that as your intent. Get two to three volunteers from other departments to review and edit the document with you so you ensure you met your goal to educate employees and modernize the compliance plan.

Education Plan

Education plans need to be developed that align with the compliance plan, but also must be informative and fresh. Employees are no longer interested in sitting down for a half-day session of watching PowerPoint presentations. Select annual mandatory compliance education modules that are engaging and can be completed in 10-15 minutes at one time. Ensure the format is varied with some reading, videos and multiple-choice options which enhance learning. Try incorporating in-person education throughout the year so that your co-workers are updated on any compliance policy updates or regulatory changes. But keep the education to around 10 minutes at a time in an easy to understand and engaging format, so employees see compliance as a resource instead of a department that only delivers bad news or wastes their time.

Data Analytics Processes

To modernize compliance, it is also important to create agile and contemporary data analytics processes. We can’t track all healthcare related regulations on paper or spreadsheets anymore. There are simply too many requirements to follow and too many changes to track.

The COVID-19 pandemic is a perfect recent example. Governors from many states were executing executive orders (EO) on a frequent basis to address COVID-19 related matters. These executive orders addressed such topics as whether elective surgery could or could not be performed, what restrictions were lifted with regards to telehealth visits, and what professional licensing requirements were relaxed. For organizations who have facilities in multiple states, tracking EO alone would be an incredible burden in a paper- or spreadsheet-driven department.

And, regardless of EO, there can be compliance issues related to telehealth visits and the ability to bill for those visits. For example, if a provider tries to deliver an annual Medicare visit via telehealth from California for a new patient in Connecticut.

Technology and Automation

It probably goes without saying, but modernizing compliance fundamentally includes incorporating the use of current technology and automation tools to assist with regulatory compliance and education. There are a number of electronic learning systems which automate compliance education assignment and monitoring. These systems allow compliance professionals to assign required annual training, as well as remedial education, by employee type (nurse, doctor, coder, food service, volunteer, therapist, information technologist, etc.).

There are also a variety of internet-based due diligence platforms to ensure potential vendors and contractors are appropriately vetted before the organization does business with them. And, there are many systems available that track regulatory changes and regulatory activity within your organization. There’s no longer a good reason to not explore the options, and see which tools are a good fit for your department and organization.

Practice Tip:

  1. Depending on the size of your organization, get 3-6 volunteers to review and provide input on your compliance plan and compliance education materials.
  2. Evaluate current technology and automation platforms such as youCompli to help meet your organization’s compliance needs.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


See YouCompli in Action

Easier, faster, more effective compliance is possible

AHA and CMS to Keep Regulatory Flexibilities in Place

COVID-19 continues to create obstacles and challenges for healthcare compliance professionals. Thriving in this environment means being agile and adaptive.

The AHA’s Requests

Last week, the American Hospital Association (AHA) asked the Centers for Medicare & Medicaid Services (CMS) to keep relaxed regulations in place. Specifically, the AHA is interested in keeping flexibility around telehealth, quality and compliance measures, and bed capacity.

The telehealth changes are ones that have been on the horizon for some time. Essentially, the AHA is asking CMS to continue to allow hospitals to provide a wide range of telehealth services, without limitations as to profession or geographic location. The AHA is also asking for flexibility on billing and payments related to telehealth to be made permanent.
More interestingly, the AHA has also asked that CMS extend regulatory relief related to some quality and patient safety regulations. These include expanding the use of verbal orders, and extending the reuse of PPE.

The AHA has also asked that CMS provide hospitals with a transition period, to allow them to more easily move from pandemic response to ordinary practice. This includes a request for temporary waivers for sanctions and penalties related to HIPAA , and flexibility on audit requirements. And, it includes a request that certain rules and requirements be delayed or suspended.

The Response From CMS

Three days after the AHA released this letter, Michael Caputo, Assistant Secretary for Public Affairs at the Department of Health and Human Services (HHS), tweeted this :


The public health emergency is currently set to expire on July 25. However, as of this writing, HHS hasn’t officially announced how long the extension will be

This means that we don’t yet know what will happen when the emergency finally does end. Will HHS give a transition period, as the AHA has requested? Will HHS continue to allow flexibility about telehealth, which they have previously indicated they would?

Staying up to date on this fluid situation is going to be a key task for compliance in the coming weeks.

See YouCompli in Action

Easier, faster, more effective compliance is possible

The New Office of Burden Reduction and Health Informatics: Implications for Healthcare Compliance

You may have heard that, last week, the Centers for Medicare & Medicaid Services (CMS) announced the creation of a new office: the “Office of Burden Reduction and Health Informatics.”

What exactly is this new office supposed to do? According to the press release from CMS, the intent is “to unify the agency’s efforts to reduce regulatory and administrative burden and to further the goal of putting patients first.”

All well and good. But what does that actually mean?

Value-Based Care

Here’s one thing that CMS says clearly. They are “committed to leveraging the significant flexibilities introduced in response to the COVID-19 pandemic as we continue to lead the rapid transformation to value-based healthcare.”

We’ve all been hearing about value-based care for years. (Here’s a piece from 2016, for example.) The pace of change hasn’t been particularly speedy, and the pandemic has disrupted most big transformative plans, especially in healthcare.

That said, the Department of Health and Human Services (HHS) is still committed to value-based care. If reducing or streamlining the regulatory environment is necessary in order to make this change happen, you can bet that HHS and CMS will do it.

What specific regulations will CMS change in order to make this happen? That remains to be seen. Recently, CMS did announce that they will be maintaining at least some of the regulatory changes related to telehealth.

Which ones? We know of one rule change that CMS has announced: the proposed physician fee schedule rule, which should come out in July, will include proposals to permanently expand coverage for telehealth services. As of this writing, the rule has not been published, and CMS has not announced details.

With that exception, however, there hasn’t been a lot of movement on specific regulations that could be helpful. In fact, our observations suggest that most regulators are moving back to business as usual. If CMS has plans to streamline regulations to enable the transformation to value-based care, they are keeping those plans very close to the vest.

Improved Review

However, CMS commits clearly to increasing the number of stakeholders – including clinicians, providers and health plans – that it engages with when assessing the impact of new regulations.

This could be a welcome change for compliance professionals, as a more comprehensive assessment of regulatory impact could result in a regulatory environment that’s a lot easier to work within. Clearer regs with reduced expectations would mean less work required by the clinical and revenue cycle staff in your organization.

And that would mean less time spent following up and trying to get staff to do the work.

Health Informatics

CMS has also committed – as indicated in the second half of the new office’s name – to further implement health informatics. The idea here is to effectively use health data in order to provide better care.

CMS gives this as a specific example: “to create new tools that allow patients to own and carry their personal health data with them seamlessly, privately, and securely throughout the health care system.”

This proposal has obvious advantages for both patients and providers. But it could cause significant headaches for compliance.

Staying in compliance with an EHR system for just one health system is challenging enough. What CMS is proposing is an EHR system that applies across all Medicare and Medicaid beneficiaries. This would be much more complicated! The HIPAA implications alone could be staggering.

So, the use of health informatics could make the work of compliance much more challenging. We can all expect that there will be more data available and being used, and more complex tools to manage it. This trend exists across almost all industries, and healthcare is not going to be an exception.

In a highly regulated environment like healthcare, however, big data and big data tools will need to be monitored very carefully. There are a lot of ways that data tools could violate regulatory requirements. If compliance professionals aren’t careful, software and other tools could be put in place that expose the organization to high levels of risk.

Staying Up to Date

As of this writing, there is limited information as to what the Office of Burden Reduction and Health Informatics will be doing for the US healthcare system. It has a broad mandate, with unclear specifics.

There is a possibility that the office will make compliance easier, by more effectively assessing the impact of regulations before imposing them. There is also a (stronger) possibility that it may make compliance more challenging, by creating wide-ranging technological systems that compliance officers will need to monitor carefully.

As new regulations are issued, and new announcements are made, we’ll be keeping you updated. youCompli customers always have access to the latest regulatory changes as they come out and will be well-positioned to adapt to the environment created by his new office.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Worker Fatigue and the Potential Negative Impact on Compliance

When workers get fatigued, what is the impact on compliance?

We all know that, during a normal workday, workers can get fatigued. Fatigue can come from a variety of sources, including personal and professional challenges or stressors. Mental fatigue specifically occurs when there is a need to process overwhelming amounts of new data or information.

The impact and stressors of working during a pandemic can make this worse. Mental fatigue is exacerbated because there is so much new information to cull through on a daily (sometimes more frequent) basis. Combine this information overload with rapidly changing pandemic recommendations and guidelines, and it’s no wonder that workers are becoming more fatigued.

Effects of Fatigue

Memory and performance both decline when a person is mentally fatigued, which can lead to non-compliant behaviors and actions. This happens because fatigue decreases the ability to make new, short-term memories. Lack of short-term memories prevents the formation of long-term memory knowledge. And a person simply cannot recall information which has not been transferred to long-term memory. In this way, fatigue decreases the ability to recall information – whether recently learned or already known.

For example, if the organization has not previously billed for telehealth visits, a fatigued coder may not remember the education that was provided regarding telehealth documentation requirements or the codes applied to these visits. Moreover, the coder may have difficulty recalling in-person visit codes or coding modifiers. When these effects of fatigue happen, coding compliance will decrease.

Mental and physical fatigue can affect worker performance in other ways. Think about the last time you did not get a good night’s sleep. At work the next day, all you can think about is drinking more coffee or taking a nap or going to bed early that night.

Signs of this kind of fatigue include decreased awareness or a general decrease in interest with respect to work or job tasks. Other signs of fatigue include changes in judgment or decision-making. Take, for example, an employee who is usually very engaged on the job, but unexpectedly shows up late for a scheduled meeting. During the meeting, the employee is unusually quiet and provides limited feedback. If that employee’s knowledge and feedback are necessary to make a critical compliance-related decision there would be not only a negative effect on compliance, but potentially a negative effect on the entire organization.

Compliance Fatigue

There is also a form of specific compliance fatigue – where people are overwhelmed and wearied by the numerous adherence requirements in healthcare policies and procedures and rules and regulations. This combines with mental fatigue, which inhibits the ability to remember and follow these policies and procedures, which is the cornerstone of good compliance.

Employees may know and understand policies and procedures addressing HIPAA. For example, they must use encryption when emailing protected health information (PHI) or personally identifiable information (PII) or payment card information (PCI). Similarly, in the course of their work, they must exercise heightened caution before clicking on links embedded in emails. If they are experiencing fatigue, the possibility of compliance failures increases.

As physical, mental and compliance fatigue increase the potential for job related mistakes, they conversely decrease worker compliance. The overall impact of worker fatigue can have very real and negative impact on compliance ranging from simple mistakes or lapses in judgment to catastrophic errors related to breach of PHI/PII or PCI.

Practice Tips

Encourage supervisors to regularly meet with their staff to evaluate the level of information fatigue or physical fatigue. If possible, conduct education and feedback sessions to help the team talk through fatigue challenges.

Utilize resources, such as youCompli, to assist the team in staying current with healthcare compliance related changes to guidelines, regulations and laws, and managing compliance-related workflows automatically.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


5 Payer Audit Errors Every Hospital Must Avoid

5 payer audit errors

Revised September 2022

Most healthcare providers, from large hospitals to solo practitioners, experience an external audit at some point. The scrutiny can unveil errors and violations, which can lead to hefty penalties. 

The key to surviving an external audit, with the least amount of frustration, is to avoid these five common mistakes. 

1. Late Responses

Your deadline to submit relevant documentation begins upon receiving that external audit request. 

External audits may be requested by a commercial health insurance payer, or government agencies such as the Centers for Medicare and Medicaid Services (CMS) or Office for Civil Rights (OCR). While the origin of the audit request doesn’t matter, a timely response is essential. 

Take all deadlines seriously. If an extension is needed, ask for one, immediately. Missing deadlines can result in hefty fines and penalties. 

2. The Wrong Documentation

A common trigger for payer audits is improper or lack of necessary documentation.  As a healthcare practitioner, you must prove the medical necessity of each test or procedure used to diagnose and treat your patients. 

Here’s the tricky part. Sometimes payers and providers disagree on what tests or procedures are medically necessary.  Additionally, medically necessary guidelines change frequently. CMS provides local coverage determinations (LCDs) and national coverage determinations (NCDs) to help with your documentation. Be sure you are aware of changes to these coverage determinations.  

The best way to mitigate this problem is to educate your staff on what services the payer considers medically necessary, and what documentation is required to establish medical necessity. 

 Additionally, clearly document the need for a particular procedure to treat or diagnose a patient. Finally, when required, ensure that authorization is received from the payer before rendering services. 

3. Billing the Wrong Codes

Incorrect billing and coding practices can raise suspicion of fraud, failed claims, or delayed reimbursement, and — you guessed it — external payer audits. Providers and patients overpay a whopping $68 billion annually due to incorrect billing. 

 Coding systems developed by the American Medical Association and the Centers for Medicare and Medicaid are designed to streamline the billing process. Every medical procedure and service from ambulance rides to chemotherapy drugs to doctor visits are contained within coding systems such as the ICD-10, CPT, and HCPCS. 

Studies show 80 percent of medical bills in the U.S. contain errors. This percentage can decrease by ensuring appropriate staff stay current with billing and coding updates and communicate those changes to the right clinical and administrative staff to avoid old and outdated codes. 

4. No Self-Audit

One way to prepare for payer audits is to perform regular self-audits within your facility.  Internal audits are great for identifying and eliminating weak spots that can potentially lead to headaches down the road, like rejected claims and costly compliance failures. 

 One drawback is the strain on precious resources like time and personnel. You can get around this problem by hiring a third-party audit service. Make sure you have HIPAA-compliant Business Associate Agreements (BAA) so that you’re allowed to share your patient health information with third parties providing auditing services.  

 Another option is to use software provides 24/7 access to survey compliance data. Ideally, this software will provide automatic tracking of all documentation and decisions involved in the process of running your organization. 

 This ensures that compliance professionals can get immediate reporting on how well their team is doing, conducting audits more efficiently and effectively. It’s a time and cost-effective solution to hiring an outside third-party provider. 

5. No Legal Help

Having a healthcare attorney in your corner can mean the difference between a smooth audit experience and an audit nightmare. 

Here’s how a healthcare legal team can benefit your health practice: 

  • Work intimately with your staff to analyze any risky billing procedures. 
  • Challenge any demands from payers for overpayment. 
  • Challenge any allegations of fraudulent billing practices. 
  • Push back on any denied claims and the overuse of service claims. 

 Again, software is a useful tool to support your attorney’s work. A system that stores all compliance information, including payment practices, and has search capability will provide your legal team with the information they need to fight payer audit discrepancies when the time arrives. 

 External payer audits don’t have to be a nightmare. By being adequately prepared and vigilant, your next audit experience can be more streamlined and less stress-inducing. 

Learn More About YouCompli

The best way to prepare for a payer audit is to carefully manage changes to regulatory changes and coverage determinations. YouCompli can help you establish a scalable, repeatable process so you don’t miss a relevant change and you can equip your clinical colleagues to respond to the change. Then, when the audit does happen, you’ll have an easy way to demonstrate your work to comply with the requirements. Find out more. 


Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.


Never Miss an Article on Healthcare Compliance

Get a 15-minute strategic overview of YouCompli