Identify the greatest potential for risks and build a culture of compliance through engagement.
In the face of the ongoing transformation of healthcare regulatory requirements, today's compliance professionals have increased responsibilities for operationalizing an effective program. The success of a program—in healthcare or any industry—is dependent upon creating a culture of compliance.
While compliance professionals are responsible for identifying, prioritizing, and assigning accountability for managing compliance risks, employees are responsible for conducting themselves in a professional and ethical manner. Enterprise risk management techniques further enhance a compliance program by identifying strategic, operational, financial, and reputational risks.
Factors of a good compliance program
The ideal compliance program not only manages legal and ethical risks, but also addresses enterprise risks. According to the U.S. Centers for Medicare and Medicaid Services, "A risk-based approach will uncover the areas that should be targeted and accounted for within the compliance work plan." A successful program begins with collaboration among the board of directors, management team, and frontline staff to conduct an enterprise-wide compliance risk assessment. This assessment should go beyond the U.S. Department of Health and Human Service's Office of Inspector General's (OIG) seven elements of compliance, which involve:
- implementing written policies and standards of conduct
- designating a compliance officer or committee
- conducting effective training
- developing effective lines of communication
- conducting internal auditing
- enforcing standards through published disciplinary guidelines
- responding to offenses and taking corrective actions.
Once the risk assessment is formulated, it should be used in conjunction with a compliance work plan to track progress toward achieving compliance and reducing organizational risks. The framework of an effective program begins with understanding regulatory compliance requirements and identifying any gaps in compliance with laws, regulations, accreditation standards, and organizational policies.
The OIG and U.S. Federal Sentencing Guidelines outline guidance for compliance program effectiveness to prevent fraud, waste, and abuse, with the Patient Protection and Affordable Care Act of 2010 making compliance programs a condition of enrollment in Medicare, Medicaid, or the Children's Health Insurance Program. The legislation changed the definition of an effective compliance program to put more emphasis on quality, patient experience, improved population health, and lower healthcare costs.
Enterprise risk assessments are just what the name seems to indicate: They involve risk identification across the organization. Thus, a risk assessment involves the entire workforce and all departments. Risk identification starts with employees' knowledge of laws, regulations, and accreditation standards, and how they influence healthcare operations. Identifying the applicable standards or regulations to be measured and then reviewing organizational policies and procedures are the first steps in conducting a risk assessment.
The policy review is essential to the process because policies outline the expectation of the workforce carrying out regulations and standards. A helpful tip to remember is that when an internal policy is more stringent than the regulation, the organization must comply with its internal policy. But policies themselves are not sufficient evidence of compliance. It is essential to test policies to ensure there has been workforce education and the policy has been operationalized as written.
The next step in risk identification is to engage with the workforce by opening lines of communication, conducting employee interviews, shadowing, and attending staff meetings. Open communication facilitates the identification of compliance risks only when there is no fear of retaliation or retribution for reporting concerns. To realize this type of communication, all managers should receive training and be held accountable for promoting an open-door policy within their respective departments.
An engaged workforce should be able to articulate its role vis-Ã -vis policies and procedures, along with duty-to-report requirements, and be able to identify violations of laws, regulations, standards, and policies. In addition to an engaged workforce, site visits and facility tours provide additional identification of compliance risk areas. Compliance professionals should work in collaboration with the operations team to conduct these tours.
Compliance risk examples
The Joint Commission is a not-for-profit organization that accredits some 21,000 healthcare organizations and programs in the United States. Its patient tracer methodology is a useful technique for tracking a patient through the entire healthcare experience, beginning with the first patient interaction.
Compliance professionals have the opportunity to identify compliance risks from the first patient interaction, whether that interaction is with the patients themselves, family members, referring providers, or emergent situations. These risks can occur with appointment scheduling, registration, parking, facility access, signage, check-in, triage, office visit, laboratory, diagnostic testing, safety, infection prevention, referrals management, discharge, billing and collections, and satisfaction ratings.
A staff member failing to ask the patient, "Do you have any special needs that may require additional time or special accommodations?" may indicate noncompliance with the Americans With Disabilities Act. If the patient is advised, "We are unable to accommodate your wheelchair," this also may be a violation of the ADA. In addition to possible ADA-compliance violations, facility access and signage may be potential safety concerns.
An example of Health Insurance Portability and Accountability Act risk identification occurs when new patients have not been informed about the organizational notice of privacy practices, or have not been asked to sign an acknowledgement of its receipt.
Patient satisfaction results can make us aware of their perception related to timely communication of test results, wait times, and treatment in general.
Additional risk identification tools
Another mechanism for risk identification is file review, which may occur during an audit. An array of files should be checked for potential compliance risks. At a minimum, personnel files should include the application, background checks, job description, performance evaluations, orientation, training, and competencies, as applicable. Other items for review not included in the personnel file include I-9 verifications and health files. Any licensed or certified personnel must meet certain credentialing requirements, such as primary source verification of licensure, certification, education, training, malpractice claims history, and evidence of clinical competencies.
Medical record audits identify potential documentation concerns that could lead to fraudulent claims or incomplete documentation that could affect quality patient care. To be comprehensive, medical record audits must include clinical and nonclinical components. Nonclinical components include patient demographic information, insurance, and privacy requirements. Clinical components include medical history, social history, diagnoses, medications, allergies and reactions, patient encounters, laboratory and diagnostic testing, and use of referrals and consultants.
A medical record needs be a true reflection of the patient's medical condition and any treatment to ensure proper billing compliance and patient safety. Additional file reviews include committee minutes and contracts, which can help identify governance oversight concerns that may compromise the integrity of an organization.
With the identification of compliance risk areas and gaps in compliance completed, the next task for the compliance professional is to prioritize these risks based on their likelihood and the impact they may have on the organization. This can be challenging because there will be competing priorities with each department of an organization.
One benefit of compliance professionals being independent of operations is that they are able to provide an unbiased approach to risk prioritization. Compliance professionals can serve as a facilitator, assisting the management team in identifying responsible parties and formulating a plan to respond to compliance risk areas.
To increase internal controls, compliance and risk management professionals use a tool called the risk register (see sample risk register). It outlines the identified risk, lists any existing controls, identifies any gaps in compliance, rates the likelihood of occurrence, assesses the impact on the organization, and identifies the responsible parties, action plans, progress, due dates, and completion for mitigating the risks.
For the risk register to be an effective tool for performance improvement, we need to define impact and likelihood. The impact, or consequence, refers to the extent to which a risk event might affect the organization. Impact criteria may include financial, reputational, regulatory, health, safety, security, environmental, employee, customer, and operational factors. The impact scale is typically measured on a scale of 1 (incidental) to 5 (extreme). Examples of the types of impacts that can occur as a result of compliance failure include fines, penalties, significant injuries, operational losses, and reputational damages.
The likelihood is the possibility that an incident or event will occur. Measuring the likelihood of a compliance failure is similar to measuring impact; it also is measured on a scale of 1 (rare) to 5 (likely to happen frequently).
Each organization must customize the scale, determine its own threshold level for scoring purposes, and consistently apply the criteria to prioritize risks. When there are few existing controls and there are known gaps in compliance, an organization is at increased vulnerability risk, depending on the likelihood and impact of any given incident.
Any organization's management team should treat high-risk areas with urgency and create a work plan to respond to all compliance risks in a predetermined period of time. Responsible parties then need to be held accountable for implementing performance improvement initiatives by using the risk register as a work plan to monitor progress.
Performance improvement initiatives include practices such as conducting ongoing risk identification, incorporating the findings into routine management meetings, discussing during staff meetings, and monitoring compliance. As already stated, our workforce is our most valuable resource for achieving compliance. Because of this, you might consider implementing more robust workforce training in the areas of risk management, compliance, and performance improvement.
It also can be strategic to mentor members of the workforce who are passionate about quality, patient safety, regulations, and accreditation to serve as compliance liaisons throughout the organization, especially if you have a limited compliance department or budget. By mentoring these members, we encourage staff to be accountable and are promoting employee engagement, developing talent, and potentially creating succession plans.
Enterprise risk management and compliance inherently leads to high-performing teams and improved organizational performance. The integration of these concepts moves healthcare organizations to a more collaborative approach, to not only attaining, but exceeding, compliance with laws, regulations, and accreditation standards.