Managing and responding to regulatory change is a significant effort for healthcare institutions.
Continue readingRegulatory change management is critical to effective enterprise policy management
Yes, worker fatigue is a Compliance concern
How does worker fatigue affect a healthcare organization’ s level of regulatory compliance?
It turns out, employees who are not getting enough rest have a higher chance of making mistakes or performing their work at a sub-standard level. And in healthcare, this can mean increased non-compliance with facility policies and adverse effects on patient care.
Worker fatigue during a pandemic
Healthcare workers have always been at risk of fatigue, particularly with the traditionally long shifts for residents and the high stakes of patient care. The pandemic adds the unknowns of treatment, grief over lost patients, fear of catching the virus and missing family and routine. Unfortunately, this dual fatigue- at work and at home – increases the risk for errors around patient care and other highly regulated elements of healthcare.
Worker fatigue and increased mistakes
Workers who are fatigued may not have the same ability to focus on their tasks. For example, when sending a fax from the hospital to a primary care office on behalf of a patient, a nurse might type in the wrong fax number, thus sending protected health information (PHI) to the wrong person. Or worse, an employee may click on a link embedded in an email that is associated with malware and cause a breach. These are just two examples of how worker fatigue could cause compliance concerns.
Worker fatigue and decreased quality of work
Similarly, when people are fatigued or burned out, the quality of their work and judgment can decrease. For example:
- A usually conscientious employee may cut corners and not ensure a signature is obtained on a patient consent for surgery.
- A contract manager may upload a new contract but forget to obtain a required business associate agreement (BAA) form.
- A compliance audit may show that a Human Resources employee delayed scheduling flu vaccines and tuberculosis test for a group of new employees.
- A nurse may leave confidential patient information showing on a computer screen at the nurses’ station when called away to answer a nurse call light.
How Compliance can help
Helping staff stay well rested doesn’t fall just to the Compliance team, of course. But Compliance is a stakeholder and can partner with Human Resources to make sure the organization prioritizes reducing worker fatigue and supporting employees’ wellbeing.
- Compliance professionals can identify regulatory risks and help prioritize issues and develop materials for staff meetings to reinforce the need for adequate rest. Check out these CDC guides for material:
- Human Resources can create and offer support such as include peer support programs, supporting mental health paid time off, and referrals to the organization’s employee assistance (EAP) program. (An EAP is a work-based intervention program – like counseling – designed to assist employees in resolving personal problems that may adversely affect their performance.)
- Hospital administration can work with department heads to make sure shifts are scheduled in a way that allows for adequate rest.
The issue of worker fatigue is rooted in every aspect of a healthcare organization’s operation. People are passionate about their work and want to care for their team and their patients. Managers are doing their best to schedule people appropriately, but COVID has made existing staff shortages worse. A reminder from the Compliance team may help everyone in the organization take better care of themselves to ultimately deliver better care.
Keep on top of regulations affecting your organization and make sure those regulations are translated into policies and procedures that affect patient care. YouCompli customers have access to notifications about changes to regulations, resources to inform policy and procedure updates, and tools to track compliance. Contact us today to learn more.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Information blocking and the Cures Act
Resources for healthcare chief compliance officers to understand the impact of the Cures Act and information blocking. Includes examples and definitions.
Continue readingCollaboration Between Compliance and Risk: What is Permissible?
Compliance departments, generally speaking, guide staff and boards of directors to comply with the requirements, laws and regulations that govern the organization’s business. They also monitor for compliance via internal audits. Risk departments, on the other hand, address ways to mitigate risk to an organization through such activities as the evaluation and purchase of insurance policies. Given the broad nature of the scope of these two departments within the organization, when is compliance and risk collaboration permissible?
Possible collaborations
- Strategic planning: Collaboration here should include not only compliance and risk but the entire organization and the board of directors, if applicable.
- Disaster response and business continuity: As with strategic planning, disaster response and business continuity planning should also involve input and collaboration from all departments in the organization.
- General security and privacy : Here the compliance/privacy officer, information technology/security officer, and risk management director should all be included in the planning.
- Known security threat and/or breach incident: Compliance, information technology (IT), and risk management would all participate in mitigating a security threat or breach incident on the organization. Each would provide input and guidance on their respective areas of knowledge.
- Risk assessments, gap analysis and mitigation plans: Again, the development of these plans should include leaders from the entire organization; moreover, compliance and risk would specifically collaborate on the assessment, analysis and mitigation activities.
- General policy development: Compliance and risk staff can collaborate and provide feedback and input for all organization policies.
- Record and document retention schedule: Here compliance and risk can collaborate with legal counsel to ensure record and document retention policies comply with state and federal laws.
- Staff education: This is an area where compliance and risk can collaborate to provide training, whether it is done in person, virtually, by email or via online course.
Collaborations to vet and evaluate permissibility
- Security breach: As noted above, compliance, IT, and risk will work together once a security breach has been identified. It is important to ensure compliance addresses HIPAA related information and potential reporting requirements; IT evaluates the technical aspects of the breach; and risk focuses on reporting to the insurance carrier and mitigation strategies in conjunction with compliance and IT. These collaborative activities will usually take place under a breach coach or law firm to protect the confidential nature of the breach.
- Shared work areas: Depending on the confidential nature of discussions, say a lawsuit against the organization, it may or may not be appropriate for compliance staff to be privy to such information. So shared work areas should be closely evaluated.
- Shared staff: As with shared work areas, if a staff member such as a registered nurse (RN) is shared between the compliance and risk department, both leaders and the RN must remain in the scope of the job role in which they are working at the time.
- Reporting to the board: Typically, compliance reports to the organization’s leader (such as a CEO) but also has direct or dotted line reporting to the board of directors. Make sure any collaborations with other departments do not create potential conflicts of interest with reporting up this chain of command.
- Committee membership: As with the analysis discussed above, make sure to vet compliance staff member membership on the risk committee and vice versa to avoid any actual or potential conflicts of interest.
Goal
All organizations should work to develop a culture where permissible collaborations between compliance and risk occur. They should also make certain that staff feel comfortable calling the compliance or risk department with potential concerns while ensuring the staff not crossing any lines when it comes to compliance or risk department confidential matters or conflicts of interest.
PRACTICE TIP:
- Evaluate opportunities for the compliance department to collaborate with the risk management team, as noted above.
- Access youCompli to find resources which address required document and record retention requirements.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Sign-up to never miss a compliance related article!
Manage your healthcare regulatory change process effectively and efficiently
YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.
Weaknesses in Internal Controls: How to Manage and Mitigate Vulnerabilities
Revised September 2022
Risk in US Healthcare
It is incredibly difficult to turn off “work brain” after the day is done. Thoughts and questions keep creeping in during off work time, personal time.
For example, did I send the new state law privacy requirements to our IT security team to review? Are the staff following and appropriately documenting for telehealth reimbursement? Or what should be my priorities on Monday morning? These questions all represent potential weaknesses in internal controls. Let’s explore what can be done to mitigate or decrease any vulnerabilities.
It is important to have appropriate internal controls supported by open communication between colleagues, and forthright reporting to both compliance and risk departments in an organization.
Since organizations are still run by humans, there remains the potential that one human sets up a call to discuss a topic (like a regulatory change), and inadvertently forgets to invite all the other humans affected by the change. Having a process in place where an employee discusses a need to meet with his or her supervisor can help ensure you’ve got the right humans at the table.
Internal controls must also be communicated to the staff so they can adhere to the organization’s expectations and policies. This is where education, early and often, that includes the why behind the internal control, can provide the best results to reducing any vulnerabilities.
Top Areas of Risk
Top areas of risk to a healthcare organization include weaknesses or vulnerabilities in security, documentation, operations, and staff performance. Let’s consider the following:
- The risk focus for organizational security typically includes areas like information technology (IT) and physical buildings. Cybersecurity data leaks or active shooters are examples of each.
- Incomplete, non-existent, or fraudulent medical record documentation is another large risk for health care organizations.
- Lack of clear policies, procedures, or protocols (PPPs) present huge risks to the organization as employees may act in a way which is not in compliance with PPPs.
- And finally, human error, even if unintentional, can present costly risks to the organization, such as a Stark law violation. Both the strongest and the weakest internal control for health care organizations involves the staff. Take cybersecurity: many data leaks come from staff clicking on the wrong link or attachment and letting the “bad guys in” to the network. The same is true when an employee lets someone in the building on their badge scan rather than making them badge in themselves.
Mitigate Risks
Risk mitigation is an organizational strategy to prevent or decrease the impact of mistakes or unanticipated outcomes when they occur. One strategy is to implement organizational controls, such as PPPs along with checklists and tools, to either prevent or decrease organizational risks.
- A primary and effective way to mitigate risks to the organization is to empower the employees with knowledge. Don’t just have employees complete compliance and risk education online. Go out and meet the staff and answer their questions in real time! Or encourage them to call or email their questions and provide timely follow up.
- Risk and compliance departments should foster a culture of early reporting by staff when there is a mistake or unanticipated outcome or a deviation from the PPPs. When a staff member makes a report, it is important to document the facts while remaining objective and non-judgmental. (Related: Read Brian Kozik’s story of changing the consequence structure to support a safe to speak up culture)
- Ensure you have a usable system to track internal control weaknesses to manage and mitigate vulnerabilities. Whether this is a manual process or is done through an IT application, make sure you consistently use the internal controls to evaluate and mitigate risks because they change – frequently.
- Review, or if you don’t have them, develop cybersecurity and business continuity plans. These plans should be living documents that are used regularly and revised at least every two years, to ensure compliance and risk topics are current and mitigated. These plans should not just be a book on the shelf or a file on a computer. The risk focus for these plans should include tools to monitor both IT and the physical building risks.
- Commit to being a leader when it comes to promoting an open culture for reporting weaknesses, or breaks, in internal controls so early mitigation strategies can be implemented.
Proactively setting internal controls helps you and your colleagues address mistakes and errors when they inevitably do happen. While there is no failsafe way to ensure 100% compliance with internal controls, or that all employees will do the right thing every time, you’ll be better positioned when staff are educated and equipped to comply with regulations and do the right thing. And in organizations that have an open culture of reporting, both the risk and compliance teams will be aware of the internal control weaknesses so they can implement mitigation strategies early on.
Strong internal controls are critical to effective regulatory change management. YouCompli can enable your collaboration with compliance champions and free your time to focus on relationships and communications. Take a look at our regulatory change management solution today.
Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.
Never Miss a Compliance Related Article
Organization Liability: Impact and Risk Mitigation (Part II)
Impact of Risk Liabilities
Unmanaged or poorly managed risk can cause devastating effects to the organization from a reputational and financial perspective.
An extreme example of financial risk, coupled with nationwide reputational risks, was the Tylenol case in the 1980’s. The New York Times describes how, in 1982, Extra-Strength Tylenol capsules were tampered with and laced with potassium cyanide. Seven people in the Chicago area died and copycats caused several more deaths across the U.S. As a result of those incidents, tamper-resistant packaging was created and implemented so over-the-counter products, such as Tylenol, could not unknowingly be laced with a poison which could cause injury or death.
Despite the fact that the manufacturer had not introduced the poison, this event led to huge financial and reputational liability for McNeil Consumer Healthcare, the makers of Tylenol. On just the financial side, this cost a considerable amount of money due to decreased sales and increased advertising costs.
As this example demonstrates, financial and reputational risk for an organization in the healthcare field can have disastrous consequences that threaten to bankrupt or put the organization out of business. If the event or incident is sufficiently egregious, the organization could also face loss of accreditation or state licensure. If this happens, they may also lose Medicare and Medicaid contracts.
Risk Mitigation
Proactive risk mitigation strategies include transfer of risk, through such vehicles as contracts and insurance, and early reporting of incidents or events by staff.
Transfer of risk in contracts in typically done with indemnity or hold harmless clause. Transfer of risk via insurance is done by ensuring the organization has adequate coverages and retentions to meet the organization’s needs.
The intent of an indemnity clause is to transfer the risk of financial loss from one party to the agreement to another party to the agreement. Generally, this is financial losses or expenses caused by contract breach or default, negligence, or misconduct by one of the parties.
Hold harmless language in the contract states one party will not hold another party responsible for potential risks or damages. Hold harmless clauses can be unilateral and apply to just one of the parties to the contract or can be bilateral and apply to both parties to the contract. Typically, bilateral hold harmless language is preferred for healthcare organization contracts because each party will assume their own risk and not sue the other party to the contract for the risk which was assumed.
Early reporting by staff is crucial in order to ensure that appropriate action, discussion, documentation and reporting takes place. Most importantly, this is necessary to ensure that risk mitigation strategies can be implemented to eliminate or decrease risk to the organization.
PRACTICE TIP:
- Develop and conduct risk assessments of insurance policies and large contracts to identify areas for improvement.
- Review contracts to ensure indemnity or hold harmless clauses have been included. If not, add the clauses on renewal.
- Work with Risk Management to conduct a risk assessment to evaluate organization risks and implement mitigation plans.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Sign-up for the YouCompli Blog to Stay Up to Date on Compliance Related News!
Manage your healthcare regulatory change process effectively and efficiently
YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.
Organization Liability: Types of Risk (Part I)
Risk is an important concept for compliance professionals working in the healthcare space to understand. After all, there are many times where risk and liability have crossover to compliance.
For example, in response to a suspected email or electronic health record breach, compliance and risk professionals will need to work together. This work will include:
- Evaluating the breach
- Reporting to the insurance carrier
- Collaborating with a breach coach or legal team to ensure the investigation meets legal requirements and timelines
- Collaborating with the information technology team and a forensics firm to ensure risk mitigation strategies are implemented and effective
And so on.
Generally speaking, healthcare compliance professionals should have a good working knowledge of organization risks and liabilities, as well as risk mitigation strategies.
This raises two important questions:
- What areas of risk do healthcare organizations face?
- What are the potential liabilities related to unmanaged or poorly managed risk?
Areas of Risk for a Healthcare Organization
Areas of risk for a healthcare organization are vast, and can involve injury to persons, property and reputation. Several areas of risk include:
Patient safety risks
These include near misses, which are mistakes which almost make it to the patient, as well as events or incidents that do make it to the patient, causing the patient to experience an unanticipated outcome such as a longer hospital stay, disability or death.
For example, a nurse may realize before giving a vaccine to a child that the adult vaccine and dose was drawn up in the syringe instead of the pediatric vaccine and dosage. This would be a near-miss. Along those same lines, a mistake occurs if the adult vaccine dose is actually administered to the child and an allergic reaction occurs.
Operational risks
These include such things as business interruption or supply chain issues. Business interruption incidents may include fire, flood, or pandemic. If the electronic medical record system goes down, and staff have to chart by hand on paper, this would be a business interruption. Supply chain issues can occur due to higher than normal demand or decrease in output by the manufacturer. If an organization cannot obtain needed supplies – such as hand sanitizer or surgical masks – that would be an example of a supply chain issue.
Legal risks
These typically involve lawsuits filed against the organization. Most commonly, lawsuits result from allegations of inappropriate employment practices or medical negligence or malpractice. For example, if a child had an allergic reaction after receiving an adult dose of a vaccine and unfortunately passed away, the parents may file a lawsuit alleging medical malpractice or negligence on behalf of the organization, the provider or the nurse who administered the incorrect vaccine.
Insurance risks
Insurance risks generally stem from a lack of adequate or appropriate insurance coverage or failure to transfer risk. Insurance risks can also connect to legal risks, which can stem from contracts with inadequate risk transfer or failure to conduct due diligence to vet the vendor. In the case of a pandemic, healthcare and other organizations may not have realized that pandemics and resulting business closures may be excluded from their business interruption insurance policy.
Human capital risks
These encompass the inability to hire, contract or retain appropriately trained staff. A lack of ICU level nurses causing staffing shortages would be an example. Human capital risks can also include professional board or licensing complaints against the organization’s doctors, nurses, therapists, or other licensed staff.
Reputational risks
Reputational risks are often forgotten or invisible to an organization until a bad event happens and it is announced to the public – at which point it is too late.
Reputational risk used to be limited to bad publicity which was published in print or reported on television. However, with the increased acceptance and use of social media, reputational risks are more far-reaching than the local newspaper or evening news program, and could potentially have national reach and negative impact on the organization . A newspaper may not run a story about a child who received an incorrect vaccine, but the child’s mother could post to Facebook or other social media platforms that the organization and providers are terrible and not to be trusted.
Practice Tips:
- Schedule a meeting with your insurance broker to evaluate your insurance policies by product line (i.e., general liability, property, cybersecurity, etc.) to ensure the organization is adequately covered to protect against most business losses.
- Educate staff to ensure they know how and where to report near-misses and mistakes that occur in the organization.
- Work with Risk Management to conduct a risk assessment to evaluate organization risks and implement mitigation plans.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Sign-up for the YouCompli Blog to Stay Up to Date on Compliance Related News!
Manage your healthcare regulatory change process effectively and efficiently
YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.
How Do We Modernize Compliance?
Times change and compliance, like all businesses and business operations, needs processes that keep up. However, there are a lot of challenges that we as compliance professionals face when it comes to modernizing our practice. Modernizing compliance means adapting or incorporating requirements, adherence methods and technology to align with current times or requirements.
For example, this could mean learning to effectively audit electronic, instead of paper, health records. Many compliance professionals have also had to adapt to working with a remote workforce, such as billing and coding professionals, as formerly onsite staff have been transitioned out, in favor of a contracted workforce for a third-party company.
With these, and many other, challenges in mind, how do we proactively modernize compliance?
Enterprise Risk Management Planning
One way is to ensure compliance is part of the organization’s enterprise risk management (ERM) plan and business strategy. It is commonly, but incorrectly, believed that an ERM plan only involves the risk management department. An effective and comprehensive ERM plan has to include human capital, operational, financial and strategic domains, as well as addressing legal, regulatory and compliance related domains and issues.
For example, HIPAA or cyber breaches involving PII or PHI can have significant risk to the organization, including reputational, regulatory and financial consequences. Evaluating these compliance-related risks should be part of the ERM planning process, as should the development of strategies in the ERM to mitigate or manage these risks.
Compliance and Education Plans
Another way to modernize compliance is to ensure compliance and education plans are informative, yet easy to understand and follow. Gone are the days where the compliance plan can be over 30 pages long and written in a dense format with little white space. Let’s be honest: other than people in the compliance department, most employees won’t read a 30-page regulatory document which consists of nothing but text.
Compliance Plan
The compliance plan should be developed and laid out in an easy to read format. Graphs and other graphical elements should be included to aid in engagement and learning. And, when including the regulatory language, also include a clear, concrete example of how that applies to the employee.
For example, we all know that HIPAA requires staff to maintain patient privacy. While at work, this includes conversations — so we should not be discussing patients or patient information with co-workers in the elevator or bathroom. Similarly, if a person calls asking about a patient, staff must check the registration or admission system to ensure the patient wants their admission shared with callers or visitors.
If you really want your employees to follow the compliance plan, then craft it with that as your intent. Get two to three volunteers from other departments to review and edit the document with you so you ensure you met your goal to educate employees and modernize the compliance plan.
Education Plan
Education plans need to be developed that align with the compliance plan, but also must be informative and fresh. Employees are no longer interested in sitting down for a half-day session of watching PowerPoint presentations. Select annual mandatory compliance education modules that are engaging and can be completed in 10-15 minutes at one time. Ensure the format is varied with some reading, videos and multiple-choice options which enhance learning. Try incorporating in-person education throughout the year so that your co-workers are updated on any compliance policy updates or regulatory changes. But keep the education to around 10 minutes at a time in an easy to understand and engaging format, so employees see compliance as a resource instead of a department that only delivers bad news or wastes their time.
Data Analytics Processes
To modernize compliance, it is also important to create agile and contemporary data analytics processes. We can’t track all healthcare related regulations on paper or spreadsheets anymore. There are simply too many requirements to follow and too many changes to track.
The COVID-19 pandemic is a perfect recent example. Governors from many states were executing executive orders (EO) on a frequent basis to address COVID-19 related matters. These executive orders addressed such topics as whether elective surgery could or could not be performed, what restrictions were lifted with regards to telehealth visits, and what professional licensing requirements were relaxed. For organizations who have facilities in multiple states, tracking EO alone would be an incredible burden in a paper- or spreadsheet-driven department.
And, regardless of EO, there can be compliance issues related to telehealth visits and the ability to bill for those visits. For example, if a provider tries to deliver an annual Medicare visit via telehealth from California for a new patient in Connecticut.
Technology and Automation
It probably goes without saying, but modernizing compliance fundamentally includes incorporating the use of current technology and automation tools to assist with regulatory compliance and education. There are a number of electronic learning systems which automate compliance education assignment and monitoring. These systems allow compliance professionals to assign required annual training, as well as remedial education, by employee type (nurse, doctor, coder, food service, volunteer, therapist, information technologist, etc.).
There are also a variety of internet-based due diligence platforms to ensure potential vendors and contractors are appropriately vetted before the organization does business with them. And, there are many systems available that track regulatory changes and regulatory activity within your organization. There’s no longer a good reason to not explore the options, and see which tools are a good fit for your department and organization.
Practice Tip:
- Depending on the size of your organization, get 3-6 volunteers to review and provide input on your compliance plan and compliance education materials.
- Evaluate current technology and automation platforms such as youCompli to help meet your organization’s compliance needs.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Emergency Preparedness Revisited
Emergency preparedness has always been one of the top concerns of hospital administrators and medical staff, but never has it been more critical. As the the coronavirus pandemic continues to impact the United States, and facilities are struggling to maintain levels of personal protective equipment (PPE) and ventilators, administrators and compliance professionals should also review the updated federal emergency preparedness requirements, published by the Centers for Medicare and Medicaid Services (CMS) in the Federal Register on September 30, 2019.
We previously blogged about these requirements in 2017, but the requirements have changed in the past few years. Here are the four core elements of a hospital’s emergency preparedness plan to handle natural and man-made disasters — and a look at how they are impacted by last year’s final rule revision by CMS:
Risk Assessment and Planning
Commonly referred to as the emergency plan, CMS requires such a strategy to be developed and then updated at least once a year. It is based on certain risk assessments and uses an “all-hazards” approach that focuses on hospital capacities and capabilities, care-related emergencies, equipment and power failures, communication interruptions (including cyberattacks), and interruptions to water, food, and medication supply chains.
A major change to this element involves hospital climate control and power. Facilities are no longer required to heat and cool the building evenly. However, safe temperatures are to be maintained in areas deemed necessary to protect patients, other people in the facility, and provisions stored in the facility during the course of an emergency, as determined by a risk assessment. If a hospital is unable to maintain safe temperatures, it should follow an established plan for a timely relocation/evacuation that avoids patient exposure to harmful conditions. Additionally, hospitals are required to have an essential electric system with a generator that complies with the NFPA 99 – Health Care Facilities Code.
Like before, the plan must include strategies for addressing emergency events and include a process to work in conjunction with local, tribal, regional, state, and federal emergency preparedness officials. But the key change to the all-hazards approach — and this is crucial in light of recent events — is that all participating hospitals must be prepared for emerging infectious disease (EID) threats, such as the coronavirus. EIDs may require modification to standard facility protocols to protect the health and safety of patients and personnel, such as isolation and PPE usage.
Communication Plan
This element received additional fine-tuning. Participating hospitals still must develop a communication plan that complies with local, state, and federal laws and the plan must be reviewed and updated annually. It should now also include the names and contact information of key hospital personnel for local, tribal, regional, state, and federal emergency preparedness officials. And, it should detail how patient care is coordinated within the facility, across healthcare providers, and with local and state public health departments and emergency management systems.
Policies and Procedures
Hospital policies and procedures still must be based on the emergency plan, risk assessment, and the communication plan, and must be reviewed and updated at least once a year. They should address a broad range of topics and situations, including subsistence needs (water, food, medical supplies) of patients and staff, emergency staffing strategies, tracking the location of on-duty staff and patients during emergencies, sheltering-in-place plans, and patient relocation/evacuation plans.
Training and Testing Program
This revised element the result of an additive process. Program development is based on the emergency plan, the risk assessment, the communication plan, and the policies and procedures. As before, the final rule states the program must detail who needs to be trained, describe the frequency of training, how knowledge is assessed, and document how the training was conducted.
During the course of normal events, hospitals are required to annually conduct a mock disaster drill that is either a full-scale, community-based or individual facility-based exercise. In addition, hospitals must also hold a discussion-based tabletop exercise with its senior staff to discuss hypothetical emergency scenarios and reassess policies and procedures. But recent years have not been normal.
Along with the coronavirus outbreak, many parts of the country have suffered from an increase in natural disasters or mass shootings. The final rule revision acknowledges this wide spectrum of emergencies. If there is an event that activates a hospital’s emergency plan, that facility is exempt from holding its annual mock disaster drill for one year following the incident, provided it has written documentation. If a hospital activates its emergency plan twice in one year, it is exempt from both the mock disaster drill and tabletop exercise for one year following the actual events. Again, written documentation of these events and procedures is required.
Maintain Compliance with CMS
Being compliant with the September 30, 2019 final rule is a requirement for your facility’s Condition of Participation (CoP) / Condition for Certification (CfC) with CMS. Failure to comply, even during a pandemic, could thus have significant impact on your organization. The youCompli compliance management software is a powerful tool to help mitigate risk and enable your hospital to effectively implement these, and many other, regulatory requirements. The software is easy to use and quick to deploy, and can be a powerful means to drive efficiencies through your compliance department.