regulatory change management » YouCompli

Stark Law and its revisions benefit patients

Recent changes to Stark aim to increase coordination of patient care, modernize, and clarify rules related to the law.

Five tips to help providers comply with Stark

The Stark Law creates a whole set of antikickback rules that providers must understand and actively work to comply with. And with all its good intentions, the Stark Law is incredibly restrictive. In fact, even the U.S. Court of Appeals for the 4th Circuit noted that “even for the well-intentioned healthcare provider, the Stark law has become a booby trap rigged with strict liability and potentially ruinous exposure.”

The Centers for Medicare and Medicaid (CMS) and Congress have taken steps to clear up confusion and loosen the rules in some cases (See our article on exceptions for value-based care). Still, your Compliance team has a tremendous responsibility to make sure that policies match the rules and that providers understand and follow the policies.

Policies match the Stark rules

Changes to the Stark Law have been coming out practically since the law was enacted. The law, which aims to protect against kickbacks and self-referrals, has gotten complicated in the details. Congress issues amendments to help the law catch up to changing business practices. Healthcare organizations may have written policies that facilitated compliance originally. However, those may be completely out-of-date if they weren’t keeping up with the changes in the law.

For example, CMS has introduced modifications that addressed challenges with value-based care and resolve issues restricting coordinated care and health data exchange. Another modification to the law was allowing healthcare providers to accept cybersecurity tech donations from stakeholders.

While the compliance officer enforces the policies, he or she doesn’t have to live them the way those in operations do. Getting input from key stakeholders such as providers, Risk Management, and others in the C-suite can help ensure that final policies are clear. This early feedback and engagement can also help identify how the policy or regulatory changes will affect the individuals who must operate under them. Lastly, they can help identify potential operational conflicts with new policies or regulatory changes.

(See how YouCompli delivers model policies and procedures that help your organization comply.)

Providers following the Stark policies

With compliant policies in place, it’s time to help providers understand how to follow them. This is where communicating what certain key terms in a policy or regulation means in the context of the provider’s particular work becomes critically important.

Compliance officers know that “the road to success is going to run through quality of care,” says Harry Nelson, health care attorney at Nelson Hardiman. “Compliance isn’t the internal police that slows things down, but a strategic part of growth.” When it comes to making sure providers understand how to follow policies, the compliance officer has to look at the language of the policy from the providers’ perspective, not that of the compliance officer.

Here are five steps to help providers understand and follow Stark-compliant policies:

Engage your operational leaders. Make sure the president and CEO understand the nature and intent behind Stark limitations so they can help explain and reinforce them. Give situational examples they can relate to so they understand what the key terminology means.
Invest in training and communication. One email won’t do it with changes to Stark-related policies. Engage providers in small groups, in writing, and in person to explain nuances and answer questions about tricky scenarios. Whenever possible, use real-world scenarios to help illustrate how the regulations and policies impact them. Education and training should also be routine and ongoing with key stakeholders.
Get feedback. Regularly check in to gather feedback from your leaders. Find out if the implemented tools and procedures are working for them, as well as to identify challenges they face. This step will help you see areas where the words on paper mean something the compliance officer had not thought of. Adapt procedures and tools if necessary.
Encourage people to ask questions. Make sure providers and your operational leaders alike know they can use you as a sounding board for grey areas or possible violations. It’s much better if they proactively ask if a proposed arrangement is compliant. Otherwise, they may have to unwind a relationship if they find out it is not compliant.
Promote awareness to prevent future mistakes. Once an error is made, chances are it will reoccur and lead to additional violations. As you are addressing errors, promote awareness to prevent future mistakes. For example, when you are communicating the fact that a mistake was made, go the extra step to what caused it. This will be an opportunity to find out where their confusion was and use that insight to update policies or training.

Stark compliance starts with knowing about changes to the regulations and continues with crafting policies that providers can understand and follow. Involving stakeholders in policy creation and training, and engaging tech systems to reinforce the lessons will support the long-term success of Stark-compliant policies.

Do you have the tools you need to recognize and manage regulatory change across your organization? Find out how YouCompli can help you manage and coordinate your response to regulatory change or schedule a demo.

Subscribe for blog updates

How to regulatory change management risk management Tips

Telehealth policies and programs center on patient care

Patients and providers alike flocked to telehealth in 2020. Before the COVID-19 pandemic began, fewer than one percent of Medicare primary care visits (PCV) were conducted via telehealth. By April 2020 that number had risen to 43 percent. (See the data.)

This spike was in response to fear of spreading the virus, of course. But it was only possible because healthcare organizations worked so hard to adjust to meet the ongoing patient needs. The federal government helped by announcing a public health emergency that eased key rules.

Compliance professionals worked across their organizations to make sure that everyone understood and complied with documentation, coding and confidentiality requirements. For example, compliance professionals collaborated with clinical teams to ensure telehealth workflows were HIPAA compliant. And, given the potential for abuse and scrutiny, providers who bill Medicare/CMS took extra care to document visits properly.

Telehealth has been hugely popular with patients and has led to better visit compliance, particularly for uninsured and underinsured populations. Telehealth has improved patient care by allowing convenient appointments from the comfort of home via a smartphone, tablet, or computer. Another benefit is that telehealth has the potential to expand health care access to underserved populations by eliminating traditional barriers to care such as transportation needs, distance from specialty providers, and approved time off from work. These visits were essential for patients with limited mobility. And of course, there’s the most immediate and urgent benefit of telehealth: reducing the spread of COVID-19 by limiting person-to person-contact.

The work for the Compliance team and colleagues across the organization was significant. They had to determine how to maintain confidentiality, obtain consent, and determine proper billing codes. Despite the enormity of this task, the effort seems to be worth it. Patients are reporting that telehealth helps them take better care of themselves. According to Medical Economics:

93% of patients would use telehealth to manage prescriptions, and

91% shared telehealth would help them stick to appointments, manage prescriptions and refills, and follow wellness recommendations.

Providers seem to feel that they have worked through a lot of the challenges of telehealth compliance, especially when internet connections are stable. Nicole Craig is a Family Nurse Practitioner at Children’s Rehabilitative Services in Phoenix. She says compliance guidance helps providers “know what has to be documented in the chart to protect ourselves from things such as improper billing and coding.” And, “in 2021 the billing is now different. Getting help from Compliance allows providers to bill time-based care. We have to understand the billing rules and compliance factors in order to follow them, especially during telehealth visits.”

For most PCVs, telehealth proved to be an efficient way to provide care. This method limited in-person visits to those instances where the patient needed a hands-on physical assessment or diagnostic testing.

Isabella Porter, JD, director of Compliance at District Medical Group, Inc., is confident that 2020 created a rebirth of telehealth. She also sees a new appreciation of this method of care delivery which healthcare will not abandon once the pandemic is deemed “over.” And she knows that her team will be a big part of her organization’s success. “I do believe that in the context of telemedicine during COVID-19, our Compliance department’s assistance with telehealth workflows lead to overall better patient outcomes during the pandemic,” she said.

It’s a good thing. While concern about the coronavirus will recede, providers and patients alike will want to continue some telehealth visits. Healthcare leaders will work collaboratively to ensure their organizations can continue to offer this important option.

Keep on top of regulations affecting telehealth and make sure those regulations are translated into policies and procedures that affect patient care. YouCompli customers have access to notifications about changes to regulations, resources to inform policy and procedure updates, and tools to track compliance. Contact us today to learn more. 

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.

Subscribe to receive updates from YouCompli

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

HIPAA How to regulatory change management risk management

Regulatory change management is critical to effective enterprise policy management

Managing and responding to regulatory change is a significant effort for healthcare institutions.

Compliance Culture HIPAA How to regulatory change management

Yes, worker fatigue is a Compliance concern

How does worker fatigue affect a healthcare organization’ s level of regulatory compliance?

It turns out, employees who are not getting enough rest have a higher chance of making mistakes or performing their work at a sub-standard level. And in healthcare, this can mean increased non-compliance with facility policies and adverse effects on patient care.

Worker fatigue during a pandemic

Healthcare workers have always been at risk of fatigue, particularly with the traditionally long shifts for residents and the high stakes of patient care. The pandemic adds the unknowns of treatment, grief over lost patients, fear of catching the virus and missing family and routine. Unfortunately, this dual fatigue- at work and at home – increases the risk for errors around patient care and other highly regulated elements of healthcare.

Worker fatigue and increased mistakes

Workers who are fatigued may not have the same ability to focus on their tasks. For example, when sending a fax from the hospital to a primary care office on behalf of a patient, a nurse might type in the wrong fax number, thus sending protected health information (PHI) to the wrong person. Or worse, an employee may click on a link embedded in an email that is associated with malware and cause a breach. These are just two examples of how worker fatigue could cause compliance concerns.

Worker fatigue and decreased quality of work

Similarly, when people are fatigued or burned out, the quality of their work and judgment can decrease. For example:

A usually conscientious employee may cut corners and not ensure a signature is obtained on a patient consent for surgery.
A contract manager may upload a new contract but forget to obtain a required business associate agreement (BAA) form.
A compliance audit may show that a Human Resources employee delayed scheduling flu vaccines and tuberculosis test for a group of new employees.
A nurse may leave confidential patient information showing on a computer screen at the nurses’ station when called away to answer a nurse call light.

How Compliance can help

Helping staff stay well rested doesn’t fall just to the Compliance team, of course. But Compliance is a stakeholder and can partner with Human Resources to make sure the organization prioritizes reducing worker fatigue and supporting employees’ wellbeing.

Compliance professionals can identify regulatory risks and help prioritize issues and develop materials for staff meetings to reinforce the need for adequate rest. Check out these CDC guides for material:
- COVID-10 and Workplace Fatigue: Lessons Learned and Mitigation Strategies
- Managing Fatigue During Times of Crisis: Guidance for Nurses, Managers, and Other Healthcare Workers
Human Resources can create and offer support such as include peer support programs, supporting mental health paid time off, and referrals to the organization’s employee assistance (EAP) program. (An EAP is a work-based intervention program – like counseling – designed to assist employees in resolving personal problems that may adversely affect their performance.)
Hospital administration can work with department heads to make sure shifts are scheduled in a way that allows for adequate rest.

The issue of worker fatigue is rooted in every aspect of a healthcare organization’s operation. People are passionate about their work and want to care for their team and their patients. Managers are doing their best to schedule people appropriately, but COVID has made existing staff shortages worse. A reminder from the Compliance team may help everyone in the organization take better care of themselves to ultimately deliver better care.

Keep on top of regulations affecting your organization and make sure those regulations are translated into policies and procedures that affect patient care. YouCompli customers have access to notifications about changes to regulations, resources to inform policy and procedure updates, and tools to track compliance. Contact us today to learn more.

regulatory change management risk management

Information blocking and the Cures Act

Resources for healthcare chief compliance officers to understand the impact of the Cures Act and information blocking. Includes examples and definitions.

How to regulatory change management risk management

Collaboration Between Compliance and Risk: What is Permissible?

Compliance departments, generally speaking, guide staff and boards of directors to comply with the requirements, laws and regulations that govern the organization’s business. They also monitor for compliance via internal audits. Risk departments, on the other hand, address ways to mitigate risk to an organization through such activities as the evaluation and purchase of insurance policies. Given the broad nature of the scope of these two departments within the organization, when is compliance and risk collaboration permissible?

Possible collaborations

Strategic planning: Collaboration here should include not only compliance and risk but the entire organization and the board of directors, if applicable.
Disaster response and business continuity: As with strategic planning, disaster response and business continuity planning should also involve input and collaboration from all departments in the organization.
General security and privacy : Here the compliance/privacy officer, information technology/security officer, and risk management director should all be included in the planning.
Known security threat and/or breach incident: Compliance, information technology (IT), and risk management would all participate in mitigating a security threat or breach incident on the organization. Each would provide input and guidance on their respective areas of knowledge.
Risk assessments, gap analysis and mitigation plans: Again, the development of these plans should include leaders from the entire organization; moreover, compliance and risk would specifically collaborate on the assessment, analysis and mitigation activities.
General policy development: Compliance and risk staff can collaborate and provide feedback and input for all organization policies.
Record and document retention schedule: Here compliance and risk can collaborate with legal counsel to ensure record and document retention policies comply with state and federal laws.
Staff education: This is an area where compliance and risk can collaborate to provide training, whether it is done in person, virtually, by email or via online course.

Collaborations to vet and evaluate permissibility

Security breach: As noted above, compliance, IT, and risk will work together once a security breach has been identified. It is important to ensure compliance addresses HIPAA related information and potential reporting requirements; IT evaluates the technical aspects of the breach; and risk focuses on reporting to the insurance carrier and mitigation strategies in conjunction with compliance and IT. These collaborative activities will usually take place under a breach coach or law firm to protect the confidential nature of the breach.
Shared work areas: Depending on the confidential nature of discussions, say a lawsuit against the organization, it may or may not be appropriate for compliance staff to be privy to such information. So shared work areas should be closely evaluated.
Shared staff: As with shared work areas, if a staff member such as a registered nurse (RN) is shared between the compliance and risk department, both leaders and the RN must remain in the scope of the job role in which they are working at the time.
Reporting to the board: Typically, compliance reports to the organization’s leader (such as a CEO) but also has direct or dotted line reporting to the board of directors. Make sure any collaborations with other departments do not create potential conflicts of interest with reporting up this chain of command.
Committee membership: As with the analysis discussed above, make sure to vet compliance staff member membership on the risk committee and vice versa to avoid any actual or potential conflicts of interest.

Goal

All organizations should work to develop a culture where permissible collaborations between compliance and risk occur. They should also make certain that staff feel comfortable calling the compliance or risk department with potential concerns while ensuring the staff not crossing any lines when it comes to compliance or risk department confidential matters or conflicts of interest.

PRACTICE TIP:

Evaluate opportunities for the compliance department to collaborate with the risk management team, as noted above.
Access youCompli to find resources which address required document and record retention requirements.

Denise Atwood, RN, JD, CPHRM

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Sign-up to never miss a compliance related article!

Manage your healthcare regulatory change process effectively and efficiently

YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.

board of directors Compliance Culture HIPAA regulatory change management risk management

Weaknesses in Internal Controls: How to Manage and Mitigate Vulnerabilities

Revised September 2022

Risk in US Healthcare

It is incredibly difficult to turn off “work brain” after the day is done.  Thoughts and questions keep creeping in during off work time, personal time. 

For example, did I send the new state law privacy requirements to our IT security team to review? Are the staff following and appropriately documenting for telehealth reimbursement?  Or what should be my priorities on Monday morning? These questions all represent potential weaknesses in internal controls.  Let’s explore what can be done to mitigate or decrease any vulnerabilities.

It is important to have appropriate internal controls supported by open communication between colleagues, and forthright reporting to both compliance and risk departments in an organization.

Since organizations are still run by humans, there remains the potential that one human sets up a call to discuss a topic (like a regulatory change), and inadvertently forgets to invite all the other humans affected by the change. Having a process in place where an employee discusses a need to meet with his or her supervisor can help ensure you’ve got the right humans at the table.

Internal controls must also be communicated to the staff so they can adhere to the organization’s expectations and policies. This is where education, early and often, that includes the why behind the internal control, can provide the best results to reducing any vulnerabilities.

Top Areas of Risk

Top areas of risk to a healthcare organization include weaknesses or vulnerabilities in security, documentation, operations, and staff performance.  Let’s consider the following:

The risk focus for organizational security typically includes areas like information technology (IT) and physical buildings. Cybersecurity data leaks or active shooters are examples of each.
Incomplete, non-existent, or fraudulent medical record documentation is another large risk for health care organizations.
Lack of clear policies, procedures, or protocols (PPPs) present huge risks to the organization as employees may act in a way which is not in compliance with PPPs.
And finally, human error, even if unintentional, can present costly risks to the organization, such as a Stark law violation. Both the strongest and the weakest internal control for health care organizations involves the staff.  Take cybersecurity: many data leaks come from staff clicking on the wrong link or attachment and letting the “bad guys in” to the network. The same is true when an employee lets someone in the building on their badge scan rather than making them badge in themselves.

Mitigate Risks

Risk mitigation is an organizational strategy to prevent or decrease the impact of mistakes or unanticipated outcomes when they occur.  One strategy is to implement organizational controls, such as PPPs along with checklists and tools, to either prevent or decrease organizational risks.

A primary and effective way to mitigate risks to the organization is to empower the employees with knowledge. Don’t just have employees complete compliance and risk education online.  Go out and meet the staff and answer their questions in real time!  Or encourage them to call or email their questions and provide timely follow up.
Risk and compliance departments should foster a culture of early reporting by staff when there is a mistake or unanticipated outcome or a deviation from the PPPs. When a staff member makes a report, it is important to document the facts while remaining objective and non-judgmental. (Related: Read Brian Kozik’s story of changing the consequence structure to support a safe to speak up culture)
Ensure you have a usable system to track internal control weaknesses to manage and mitigate vulnerabilities. Whether this is a manual process or is done through an IT application, make sure you consistently use the internal controls to evaluate and mitigate risks because they change – frequently.

Review, or if you don’t have them, develop cybersecurity and business continuity plans. These plans should be living documents that are used regularly and revised at least every two years, to ensure compliance and risk topics are current and mitigated.  These plans should not just be a book on the shelf or a file on a computer. The risk focus for these plans should include tools to monitor both IT and the physical building risks.
Commit to being a leader when it comes to promoting an open culture for reporting weaknesses, or breaks, in internal controls so early mitigation strategies can be implemented.

Proactively setting internal controls helps you and your colleagues address mistakes and errors when they inevitably do happen.  While there is no failsafe way to ensure 100% compliance with internal controls, or that all employees will do the right thing every time, you’ll be better positioned when staff are educated and equipped to comply with regulations and do the right thing.  And in organizations that have an open culture of reporting, both the risk and compliance teams will be aware of the internal control weaknesses so they can implement mitigation strategies early on.

 Strong internal controls are critical to effective regulatory change management. YouCompli can enable your collaboration with compliance champions and free your time to focus on relationships and communications. Take a look at our regulatory change management solution today. 

Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.

Never Miss a Compliance Related Article

Get a 15-minute strategic overview of YouCompli

Compliance Culture How to regulatory change management

Organization Liability: Impact and Risk Mitigation (Part II)

liability risks in healthcare denise atwood

Impact of Risk Liabilities

Unmanaged or poorly managed risk can cause devastating effects to the organization from a reputational and financial perspective.

An extreme example of financial risk, coupled with nationwide reputational risks, was the Tylenol case in the 1980’s. The New York Times describes how, in 1982, Extra-Strength Tylenol capsules were tampered with and laced with potassium cyanide. Seven people in the Chicago area died and copycats caused several more deaths across the U.S. As a result of those incidents, tamper-resistant packaging was created and implemented so over-the-counter products, such as Tylenol, could not unknowingly be laced with a poison which could cause injury or death.

Despite the fact that the manufacturer had not introduced the poison, this event led to huge financial and reputational liability for McNeil Consumer Healthcare, the makers of Tylenol. On just the financial side, this cost a considerable amount of money due to decreased sales and increased advertising costs.

As this example demonstrates, financial and reputational risk for an organization in the healthcare field can have disastrous consequences that threaten to bankrupt or put the organization out of business. If the event or incident is sufficiently egregious, the organization could also face loss of accreditation or state licensure. If this happens, they may also lose Medicare and Medicaid contracts.

Risk Mitigation

Proactive risk mitigation strategies include transfer of risk, through such vehicles as contracts and insurance, and early reporting of incidents or events by staff.

Transfer of risk in contracts in typically done with indemnity or hold harmless clause. Transfer of risk via insurance is done by ensuring the organization has adequate coverages and retentions to meet the organization’s needs.

The intent of an indemnity clause is to transfer the risk of financial loss from one party to the agreement to another party to the agreement. Generally, this is financial losses or expenses caused by contract breach or default, negligence, or misconduct by one of the parties.

Hold harmless language in the contract states one party will not hold another party responsible for potential risks or damages. Hold harmless clauses can be unilateral and apply to just one of the parties to the contract or can be bilateral and apply to both parties to the contract. Typically, bilateral hold harmless language is preferred for healthcare organization contracts because each party will assume their own risk and not sue the other party to the contract for the risk which was assumed.

Early reporting by staff is crucial in order to ensure that appropriate action, discussion, documentation and reporting takes place. Most importantly, this is necessary to ensure that risk mitigation strategies can be implemented to eliminate or decrease risk to the organization.