“To protect patients’ privacy and adhere to federal law, compliance professionals must understand what online patient data is being tracked and used by their organization’s website, social media pages, and payment portals.”Continue reading
“Privacy can make or break an organization. For healthcare systems in particular, it’s essential to lock down data … there are two sides to privacy: the positive benefit side and penalty side ….” – Jerry Shafran, CEO and Founder of YouCompliContinue reading
Three corrective action plans demonstrate OCR’s expectations for HIPAA compliance. Equip the patient-facing team to meet OCR’s HIPAA Right of Access InitiativeContinue reading
The Dobbs decision could threaten the patient-provider trust. Compliance can help staff understand patients’ privacy rights amid changing healthcare regulations.Continue reading
Avoid up to $1.5M a year in Privacy Rule penalties and investigations. Information blocking oversight team for effective healthcare regulatory compliance.Continue reading
OCR’s HIPAA Right of Access Initiative drives investigations and enforcement settlements. Four settlement examples and remedies.Continue reading
How can you protect personal health information (PHI), medical records, and patient communication when the provider is also the patient?Continue reading
New rules from the Health and Human Services (HHS) department put stricter guardrails on how and when healthcare organizations provide access to PHI.Continue reading
Times change and compliance, like all businesses and business operations, needs processes that keep up. However, there are a lot of challenges that we as compliance professionals face when it comes to modernizing our practice. Modernizing compliance means adapting or incorporating requirements, adherence methods and technology to align with current times or requirements.
For example, this could mean learning to effectively audit electronic, instead of paper, health records. Many compliance professionals have also had to adapt to working with a remote workforce, such as billing and coding professionals, as formerly onsite staff have been transitioned out, in favor of a contracted workforce for a third-party company.
With these, and many other, challenges in mind, how do we proactively modernize compliance?
Enterprise Risk Management Planning
One way is to ensure compliance is part of the organization’s enterprise risk management (ERM) plan and business strategy. It is commonly, but incorrectly, believed that an ERM plan only involves the risk management department. An effective and comprehensive ERM plan has to include human capital, operational, financial and strategic domains, as well as addressing legal, regulatory and compliance related domains and issues.
For example, HIPAA or cyber breaches involving PII or PHI can have significant risk to the organization, including reputational, regulatory and financial consequences. Evaluating these compliance-related risks should be part of the ERM planning process, as should the development of strategies in the ERM to mitigate or manage these risks.
Compliance and Education Plans
Another way to modernize compliance is to ensure compliance and education plans are informative, yet easy to understand and follow. Gone are the days where the compliance plan can be over 30 pages long and written in a dense format with little white space. Let’s be honest: other than people in the compliance department, most employees won’t read a 30-page regulatory document which consists of nothing but text.
The compliance plan should be developed and laid out in an easy to read format. Graphs and other graphical elements should be included to aid in engagement and learning. And, when including the regulatory language, also include a clear, concrete example of how that applies to the employee.
For example, we all know that HIPAA requires staff to maintain patient privacy. While at work, this includes conversations — so we should not be discussing patients or patient information with co-workers in the elevator or bathroom. Similarly, if a person calls asking about a patient, staff must check the registration or admission system to ensure the patient wants their admission shared with callers or visitors.
If you really want your employees to follow the compliance plan, then craft it with that as your intent. Get two to three volunteers from other departments to review and edit the document with you so you ensure you met your goal to educate employees and modernize the compliance plan.
Education plans need to be developed that align with the compliance plan, but also must be informative and fresh. Employees are no longer interested in sitting down for a half-day session of watching PowerPoint presentations. Select annual mandatory compliance education modules that are engaging and can be completed in 10-15 minutes at one time. Ensure the format is varied with some reading, videos and multiple-choice options which enhance learning. Try incorporating in-person education throughout the year so that your co-workers are updated on any compliance policy updates or regulatory changes. But keep the education to around 10 minutes at a time in an easy to understand and engaging format, so employees see compliance as a resource instead of a department that only delivers bad news or wastes their time.
Data Analytics Processes
To modernize compliance, it is also important to create agile and contemporary data analytics processes. We can’t track all healthcare related regulations on paper or spreadsheets anymore. There are simply too many requirements to follow and too many changes to track.
The COVID-19 pandemic is a perfect recent example. Governors from many states were executing executive orders (EO) on a frequent basis to address COVID-19 related matters. These executive orders addressed such topics as whether elective surgery could or could not be performed, what restrictions were lifted with regards to telehealth visits, and what professional licensing requirements were relaxed. For organizations who have facilities in multiple states, tracking EO alone would be an incredible burden in a paper- or spreadsheet-driven department.
And, regardless of EO, there can be compliance issues related to telehealth visits and the ability to bill for those visits. For example, if a provider tries to deliver an annual Medicare visit via telehealth from California for a new patient in Connecticut.
Technology and Automation
It probably goes without saying, but modernizing compliance fundamentally includes incorporating the use of current technology and automation tools to assist with regulatory compliance and education. There are a number of electronic learning systems which automate compliance education assignment and monitoring. These systems allow compliance professionals to assign required annual training, as well as remedial education, by employee type (nurse, doctor, coder, food service, volunteer, therapist, information technologist, etc.).
There are also a variety of internet-based due diligence platforms to ensure potential vendors and contractors are appropriately vetted before the organization does business with them. And, there are many systems available that track regulatory changes and regulatory activity within your organization. There’s no longer a good reason to not explore the options, and see which tools are a good fit for your department and organization.
- Depending on the size of your organization, get 3-6 volunteers to review and provide input on your compliance plan and compliance education materials.
- Evaluate current technology and automation platforms such as youCompli to help meet your organization’s compliance needs.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
See YouCompli in Action
Easier, faster, more effective compliance is possible