Telehealth compliance considerations: looking ahead

Telehealth seems to be here to stay, even as the Coronavirus pandemic begins to recede in the United States. It’s a good time for healthcare institutions to make sure their telehealth practices hold up outside of emergency circumstances. 

From a compliance perspective, that means  patient privacy and technology, valid consent for treatment, visits with minors, and interstate care.    

 

Patient privacy in telehealth

Patient privacy is just as important in telehealth as it is for in-person visits. This includes ensuring the provider conducts visits in a private space and documenting the visit in a secure medical record.   

During the Coronavirus national public health emergency, the federal government has some enforcement discretion with telehealth. Regulators can choose not to impose penalties for Health Insurance Portability and Accountability Act (HIPAA) violations if they see that a provider took precautions to protect patient privacy provider. Good faith might mean using a platform like Microsoft Teams, Zoom, or WebEx and patient-specific passcodes – and still having a privacy breach. In a case like this, the regulator has the discretion not to impose fines under HIPAA. 

 

Consents and visits with minors 

Developing a process to obtain consent to treat before the first visit can help you comply with consent requirements. This may include mailing or securely emailing the consent to the patient (or parent or legal guardian) the week before the telehealth visit and having the patient send it back.  This gives the provider time to answer the patient’s questions about consent for treatment.   

For urgent telehealth visit, make sure there are policies in place to address telephone/verbal consent or to obtain two provider consents.  If your system allows, you may be able to electronically send the consent. The patient can sign it online so you can add it to the electronic health record.  

Whatever method to obtain consent your organization chooses, ensure there is a policy addressing the proper procedure and educate the team on the policy.   

For telehealth visits with minors, try to follow the same process as for in-person visits. That means you should obtain the consent to treat and have it signed by a parent or legal guardian.  Then have the parent or legal guardian attends the telehealth visit with the minor patient.  This way diagnosis, care, and treatment plan can be discussed with the patient and the parent or legal guardian at the same time.  

 

Crossing state lines for telehealth

Things to consider if the patient and provider are not conducting the telehealth visit in the same state: 

  • Licensing: Some state licensing boards have reciprocity. Some may not require an additional license in compact states while others may require a temporary or actual license to provide care in that state. This often applies to care provided via telehealth. 
  • Prescriptions: Can you prescribe across state lines? Avoid compliance issues by sending the prescription to a pharmacy in the provider’s “home” state. Then have the patient request a pharmacy-to-pharmacy transfer of the prescription. 
  • Your insurance: Does your medical professional liability (MPL) insurance provide coverage if you are out of state? How about if the patient is located outside your “home” state? Contact your MPL insurer to be certain you have coverage in the event of an out of state lawsuit. 
  • The patient’s insurance: What will the patient’s insurance cover for visits conducted out of the patient’s “home” state?  Be sure to verify this before the patient’s telehealth visit to ensure proper billing and reimbursement for the visit and to decrease billing denials.   

Considerations for adding telehealth as a service line 

There are resources available for organizations considering adding telehealth as a permanent service line. YouCompli can help you understand which regulations apply to you, stay on top of changes, and manage implementation.  

You can also find many free resources online:  

For many types of visits, patients love the option of telehealth. As providers work to be sure that they continue to deliver quality care, Compliance teams have an equally big job to be sure the systems and processes are in place to support that experience. 

Keep on top of regulations affecting telehealth and making sure those regulations are translated into policies and procedures that affect patient care. YouCompli customers have access to notifications about changes to regulations, resources to inform policy and procedure updates, and tools to track compliance. Contact us today to learn more. 

Denise Atwood, RN, JD, CPHRM is the Chief Risk Officer at District Medical Group (DMG), Inc., vice president of DMG Insurance Company (DMGIC), and owner Denise Atwood, PLLC.   

Disclaimer: The opinions expressed in this blog are the author’s and do not represent the opinions of DMG. 

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

Communicating Compliance Terms in Plain English…

communicate compliance terms in plain english

If you have ever been new to a particular field of the workforce, such as healthcare compliance, you know all too well that the language used by coworkers can sound foreign, like gibberish, or “alphabet soup.”  As we continue to work in the field though, we too, start speaking the language.  However, while that may be ok for conversing in the compliance department, it still be confusing if we are trying to communicate with, or to educate, other functional areas of the healthcare organization.  Without knowing the terminology, the message we are trying to convey is unlikely to be understood when received.

Alphabet Soup

Take a look at an example of terminology just starting with the letter “A” from the Office of the Inspector General Work Plan (reference below):

  • ADAP AIDS Drug Assistance Program (note this one includes an abbreviation in the definition);
  • AI/AN American Indians and Alaska Natives (I, for one, was unfamiliar with this abbreviation);
  • AIDS acquired immunodeficiency syndrome;
  • ALF assisted living facility;
  • ALJ administrative law judge;
  • AMD age‐related macular degeneration (while I have heard of macular degeneration, I did not know this was a standard abbreviation);
  • AMP average manufacturer price;
  • ASC ambulatory surgical center;
  • ASP average sales price; and
  • AWP average wholesale price.

Say I am talking to another seasoned compliance professional in front of a new employee.  Using the above “A” acronyms only, the conversation may sound something like this,

“Based on the billing audit, I see we are not receiving contracted AWP reimbursement under our AI/AN contract for ALF patients with AMD.”

As you can imagine, a new employee might be confused by the acronyms and terms communicated instead of using common business English.  Sometimes just saying the entire word instead of the abbreviation is a good place to start, so instead of saying AWP say average wholesale price.

Repetitive Communication

In order to improve communication between seasoned compliance professionals and other members of the organization, it is important to use repetitive teaching strategies.  In addition to saying the entire compliance term and the abbreviation, be repetitive and write out the compliance term in addition to the abbreviation in written communications.  That way staff become more familiar with compliance terminology and it becomes a part of their daily vocabulary.

Knowledge in Practice

When it comes to any industry, including healthcare, it is easy to throw around acronyms and jargon that is familiar and efficient.  However, it is important to be aware of who you are talking to, and therefore make sure they clearly understand whatever it is you are communicating.  Translate and reword industry terminology in emails, policies and teaching materials where necessary in order to improve communication and understanding.  Better compliance will ultimately be the result.

PRACTICE TIP:

  1. Regularly evaluate training and orientation materials to ensure industry specific terminology is defined and understandable.
  2. Utilize the youCompli system as a centralized hub for new and existing compliance processes and utilize the included model procedures throughout the various areas of your organization.

RESOURCES:

Health Care Compliance Association (HCCA) Compliance Dictionary found at https://www.hcca-info.org/publications/compliance-dictionary

Health and Human Services (HHS), Office of the Inspector General  (OIG), Work Plan Appendix B: Acronyms and Abbreviations found at   https://oig.hhs.gov/publications/workplan/2011/wp09-appx_b_acronyms.pdf

Denise Atwood, RN, JD, CPHRM

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

Collaboration Between Compliance and Risk: What is Permissible?

Compliance departments, generally speaking, guide staff and boards of directors to comply with the requirements, laws and regulations that govern the organization’s business. They also monitor for compliance via internal audits.  Risk departments, on the other hand, address ways to mitigate risk to an organization through such activities as the evaluation and purchase of insurance policies.  Given the broad nature of the scope of these two departments within the organization, when is compliance and risk collaboration permissible?

Possible collaborations

  1. Strategic planning: Collaboration here should include not only compliance and risk but the entire organization and the board of directors, if applicable.
  2. Disaster response and business continuity: As with strategic planning, disaster response and business continuity planning should also involve input and collaboration from all departments in the organization.
  3. General security and privacy : Here the compliance/privacy officer, information technology/security officer, and risk management director should all be included in the planning.
  4. Known security threat and/or breach incident: Compliance, information technology (IT), and risk management would all participate in mitigating a security threat or breach incident on the organization. Each would provide input and guidance on their respective areas of knowledge.
  5. Risk assessments, gap analysis and mitigation plans: Again, the development of these plans should include leaders from the entire organization; moreover, compliance and risk would specifically collaborate on the assessment, analysis and mitigation activities.
  6. General policy development: Compliance and risk staff can collaborate and provide feedback and input for all organization policies.
  7. Record and document retention schedule: Here compliance and risk can collaborate with legal counsel to ensure record and document retention policies comply with state and federal laws.
  8. Staff education: This is an area where compliance and risk can collaborate to provide training, whether it is done in person, virtually, by email or via online course.

Collaborations to vet and evaluate permissibility

  1. Security breach: As noted above, compliance, IT, and risk will work together once a security breach has been identified. It is important to ensure compliance addresses HIPAA related information and potential reporting requirements; IT evaluates the technical aspects of the breach; and risk focuses on reporting to the insurance carrier and mitigation strategies in conjunction with compliance and IT. These collaborative activities will usually take place under a breach coach or law firm to protect the confidential nature of the breach.
  2. Shared work areas: Depending on the confidential nature of discussions, say a lawsuit against the organization, it may or may not be appropriate for compliance staff to be privy to such information. So shared work areas should be closely evaluated.
  3. Shared staff: As with shared work areas, if a staff member such as a registered nurse (RN) is shared between the compliance and risk department, both leaders and the RN must remain in the scope of the job role in which they are working at the time.
  4. Reporting to the board: Typically, compliance reports to the organization’s leader (such as a CEO) but also has direct or dotted line reporting to the board of directors. Make sure any collaborations with other departments do not create potential conflicts of interest with reporting up this chain of command.
  5. Committee membership: As with the analysis discussed above, make sure to vet compliance staff member membership on the risk committee and vice versa to avoid any actual or potential conflicts of interest.

Goal

All organizations should work to develop a culture where permissible collaborations between compliance and risk occur. They should also make certain that staff feel comfortable calling the compliance or risk department with potential concerns while ensuring the staff not crossing any lines when it comes to compliance or risk department confidential matters or conflicts of interest.

PRACTICE TIP:

  1. Evaluate opportunities for the compliance department to collaborate with the risk management team, as noted above.
  2. Access youCompli to find resources which address required document and record retention requirements.

Denise Atwood, RN, JD, CPHRM

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

Sign-up to never miss a compliance related article!

Manage your healthcare regulatory change process effectively and efficiently

YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.

CAN MORAL REBELS ASSIST WITH ORGANIZATION COMPLIANCE?

I recently heard the term “moral rebel” while listening to an SCCE Compliance Perspectives podcast.  This piqued my curiosity because I wanted to know if a moral rebel was perceived as a positive.  In the podcast, Amherst College Professor Catherine Sanderson explained that a moral rebel feels comfortable standing up to a crowd and will call out bad behavior. Similarly, Scott A McGreal in Psychology Today wrote moral rebels have a strong sense of moral identity and are more likely to act morally under pressure.  Politics aside, I think we could use more moral rebels right now, especially in our compliance departments.  So, how can moral rebels assist our organizations with compliance? Let’s look at a hypothetical case scenario to find out…

Case Scenario – Chaperone policy

Your organization has chaperone policy which requires a chaperone to accompany the provider and patient for any sensitive examinations involving the genitalia, rectum, groin, buttocks or breasts.  The policy states the chaperone may be a nurse or medical assistant.

From a compliance and risk perspective, the policy has been implemented to protect the patient, the provider and the organization from potential allegations of inappropriate touching.  Education should be done with the providers to ensure the policy is followed regardless of patient and provider gender.  The policy is written this way because the anatomical gender may not reflect the gender a patient ascribes to, relates to, or identifies as.

If a sensitive examination needs to be performed, a chaperone must be present during the examination and their name should be documented in the visit note. If, however, after being educated about the need for a chaperone during the sensitive examination the patient declines a chaperone, this should be witnessed by the provider and another staff member and documented in the visit note by the provider including the name of the staff member who witness chaperon declination.

Potential non-compliance with the chaperone policy

Jesse is a medical assistant who works in a pediatric and adolescent clinic.  Jesse observes a provider who identifies as male take a patient who identifies as female into an examination room alone.  Since Jesse prepped the patient’s chart the night before, Jesse knows the patient is here for abdominal cramps and irregular menstrual bleeding.  Moreover, Jesse prepared the exam room to ensure the provider had a speculum and gel available for a vaginal exam.  During the patient’s visit, Jesse is never called into the room.  While accompanying another patient to the lab for a blood draw, Jesse sees the female patient checking out at the front desk. Jesse wonders who chaperoned the patient’s visit because the only other medical assistant is on lunch break.

Ability to stand up / come forward

In the case scenario above, Jesse would be deemed a moral rebel by speaking up and confirming whether the chaperone policy was followed by the provider.  If uncomfortable discussing with the provider directly, Jesse may report concerns to the nurse manager for follow up. In an organization where moral rebels are valued the nurse manager would support a culture where moral rebels are not afraid to come forward if organization policies are not being followed or there was potential harm to a patient or another staff member.  Moreover, the nurse manager and compliance would ensure there was no retaliation against Jesse.

PRACTICE TIP:

  1. Educate staff on policies, such as the chaperone policy, and then monitor compliance with that policy.
  2. Foster an environment for moral rebels – individuals who are driven by morals to do the right thing – to bring potential issues to the attention of leadership or compliance without fear of retaliation.
  3. Utilize youCompli to ensure you are up to date on laws, regulations, and reporting related to required compliance policies, such as a chaperone policy.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

Organization Liability: Impact and Risk Mitigation (Part II)

liability risks in healthcare denise atwood

Impact of Risk Liabilities 

Unmanaged or poorly managed risk can cause devastating effects to the organization from a reputational and financial perspective. 

An extreme example of financial risk, coupled with nationwide reputational risks, was the Tylenol case in the 1980’s. The New York Times describes how, in 1982, Extra-Strength Tylenol capsules were tampered with and laced with potassium cyanide. Seven people in the Chicago area died and copycats caused several more deaths across the U.S. As a result of those incidents, tamper-resistant packaging was created and implemented so over-the-counter products, such as Tylenol, could not unknowingly be laced with a poison which could cause injury or death. 

Despite the fact that the manufacturer had not introduced the poison, this event led to huge financial  and reputational liability for McNeil Consumer Healthcare, the makers of Tylenol. On just the financial side, this cost a considerable amount of money due to decreased sales and increased advertising costs. 

As this example demonstrates, financial and reputational risk for an organization in the healthcare field can have disastrous consequences that threaten to bankrupt or put the organization out of business. If the event or incident is sufficiently egregious, the organization could also face loss of accreditation or state licensure. If this happens, they may also lose Medicare and Medicaid contracts.   

Risk Mitigation 

Proactive risk mitigation strategies include transfer of risk, through such vehicles as contracts and insurance, and early reporting of incidents or events by staff. 

Transfer of risk in contracts in typically done with indemnity or hold harmless clause. Transfer of risk via insurance is done by ensuring the organization has adequate coverages and retentions to meet the organization’s needs.  

The intent of an indemnity clause is to transfer the risk of financial loss from one party to the agreement to another party to the agreement. Generally, this is financial losses or expenses caused by contract breach or default, negligence, or misconduct by one of the parties.  

Hold harmless language in the contract states one party will not hold another party responsible for potential risks or damages. Hold harmless clauses can be unilateral and apply to just one of the parties to the contract or can be bilateral and apply to both parties to the contract. Typically, bilateral hold harmless language is preferred for healthcare organization contracts because each party will assume their own risk and not sue the other party to the contract for the risk which was assumed.   

Early reporting by staff is crucial in order to ensure that appropriate action, discussion, documentation and reporting takes place. Most importantly, this is necessary to ensure that risk mitigation strategies can be implemented to eliminate or decrease risk to the organization.   

PRACTICE TIP 

  1. Develop and conduct risk assessments of insurance policies and large contracts to identify areas for improvement. 
  2. Review contracts to ensure indemnity or hold harmless clauses have been included.  If not, add the clauses on renewal 
  3. Work with Risk Management to conduct a risk assessment to evaluate organization risks and implement mitigation plans.  

Denise Atwood, RN, JD, CPHRM 

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC 

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.  

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

Sign-up for the YouCompli Blog to Stay Up to Date on Compliance Related News!

 Manage your healthcare regulatory change process effectively and efficiently

YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.

Organization Liability: Types of Risk (Part I)

liability types of risk denise atwood

Risk is an important concept for compliance professionals working in the healthcare space to understand. After all, there are many times where risk and liability have crossover to compliance.

For example, in response to a suspected email or electronic health record breach, compliance and risk professionals will need to work together. This work will include:

  • Evaluating the breach
  • Reporting to the insurance carrier
  • Collaborating with a breach coach or legal team to ensure the investigation meets legal requirements and timelines
  • Collaborating with the information technology team and a forensics firm to ensure risk mitigation strategies are implemented and effective

And so on.

Generally speaking, healthcare compliance professionals should have a good working knowledge of organization risks and liabilities, as well as risk mitigation strategies.

This raises two important questions:

  1. What areas of risk do healthcare organizations face?
  2. What are the potential liabilities related to unmanaged or poorly managed risk?

Areas of Risk for a Healthcare Organization

Areas of risk for a healthcare organization are vast, and can involve injury to persons, property and reputation. Several areas of risk include:

Patient safety risks

These include near misses, which are mistakes which almost make it to the patient, as well as events or incidents that do make it to the patient, causing the patient to experience an unanticipated outcome such as a longer hospital stay, disability or death.
For example, a nurse may realize before giving a vaccine to a child that the adult vaccine and dose was drawn up in the syringe instead of the pediatric vaccine and dosage. This would be a near-miss. Along those same lines, a mistake occurs if the adult vaccine dose is actually administered to the child and an allergic reaction occurs.

Operational risks

These include such things as business interruption or supply chain issues. Business interruption incidents may include fire, flood, or pandemic. If the electronic medical record system goes down, and staff have to chart by hand on paper, this would be a business interruption. Supply chain issues can occur due to higher than normal demand or decrease in output by the manufacturer. If an organization cannot obtain needed supplies – such as hand sanitizer or surgical masks – that would be an example of a supply chain issue.

Legal risks

These typically involve lawsuits filed against the organization. Most commonly, lawsuits result from allegations of inappropriate employment practices or medical negligence or malpractice. For example, if a child had an allergic reaction after receiving an adult dose of a vaccine and unfortunately passed away, the parents may file a lawsuit alleging medical malpractice or negligence on behalf of the organization, the provider or the nurse who administered the incorrect vaccine.

Insurance risks

Insurance risks generally stem from a lack of adequate or appropriate insurance coverage or failure to transfer risk. Insurance risks can also connect to legal risks, which can stem from contracts with inadequate risk transfer or failure to conduct due diligence to vet the vendor. In the case of a pandemic, healthcare and other organizations may not have realized that pandemics and resulting business closures may be excluded from their business interruption insurance policy.

Human capital risks

These encompass the inability to hire, contract or retain appropriately trained staff. A lack of ICU level nurses causing staffing shortages would be an example. Human capital risks can also include professional board or licensing complaints against the organization’s doctors, nurses, therapists, or other licensed staff.

Reputational risks

Reputational risks are often forgotten or invisible to an organization until a bad event happens and it is announced to the public – at which point it is too late.

Reputational risk used to be limited to bad publicity which was published in print or reported on television. However, with the increased acceptance and use of social media, reputational risks are more far-reaching than the local newspaper or evening news program, and could potentially have national reach and negative impact on the organization . A newspaper may not run a story about a child who received an incorrect vaccine, but the child’s mother could post to Facebook or other social media platforms that the organization and providers are terrible and not to be trusted.

Practice Tips:

  1. Schedule a meeting with your insurance broker to evaluate your insurance policies by product line (i.e., general liability, property, cybersecurity, etc.) to ensure the organization is adequately covered to protect against most business losses.
  2. Educate staff to ensure they know how and where to report near-misses and mistakes that occur in the organization.
  3. Work with Risk Management to conduct a risk assessment to evaluate organization risks and implement mitigation plans.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

Sign-up for the YouCompli Blog to Stay Up to Date on Compliance Related News!

Manage your healthcare regulatory change process effectively and efficiently

YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.

Improving Your Reputation: How to Help Your Healthcare Organization See the Compliance Department in a Positive Light

When the compliance team visits another department, staff responses are usually the same: we must have done something wrong.

This isn’t the response that you want. The compliance department and staff should be seen as approachable, working in a collaborative fashion to make the organization more successful. If the compliance department only comes in to run audits and give “constructive” feedback, then compliance will quickly become known for negativity and criticism.

Collaboration

It is important to collaborate with other departments and incorporate a holistic organizational approach. This means valuing what other team members have to offer with regards to compliance in the organization. It can be easy for compliance professionals to make black or white statements regarding compliance with a specific regulation or policy. After all, it’s there in writing — in black and white.

But, other teams can sometimes bring to light another perspective. There may be gray areas in the written requirements or overall process and addressing these could benefit the organization without compromising compliance.

Or, compliance professionals could demonstrate openness to evaluating how requirements and regulations are impacting specific operational workflows. For example, when evaluating a compliance process for telehealth visits related to obtaining consent, the operations leader should be given an opportunity to work with compliance in developing the process.

In-Person Education

One approach to improving collaboration with other departments is to conduct in-person education and question and answer (Q&A) sessions. Ask all department leaders if you can have ten (but no more than fifteen) minutes at their next staff meeting to introduce the compliance team and to solicit compliance-related topics and questions. Before the meeting, make sure to get the department leader to provide two to three compliance-related topics that would be of interest to their team. Prepare a short slide presentation to use in the meeting — typically, one slide per topic and one Q&A slide at the end.

During the meeting, make sure to leave at least five minutes for compliance Q&A. Listen to the staff questions and solicit information on challenges or knowledge gaps related to compliance, so follow up can be done with the that department or team.

Follow-Up Education

Follow up should be timely (within three to four weeks) and can be done a few different ways: short videos, posts on the internal intranet or website, email education, or additional in-person follow up education. There are several excellent (and free) applications available online where you can create short, two- to three-minute compliance videos that can then be distributed to staff.

Follow-up education could also be done by email if the topic and question and answer lends itself to an email response. For example, if staff ask a question about HIPAA’s application to texts or emails, it would be fairly easy to find a one-page summary on the application of HIPAA to texts and emails and attach that to an email.

Volunteers

Another way to improve collaboration would be to have compliance staff volunteer to participate in organization committees not directly related to compliance. For example, compliance professionals could join the policy committee or the activities committee. In this way, the compliance team can develop positive relationships with others in the organization, in an open and approachable way.

Practice Tip:

  1. Reach out to at least 3-4 departments before the end of the year to schedule and conduct in-person meet and greets with a focus on compliance education.
  2. Utilize services such as youCompli to stay current on compliance topics and regulations to present during your meet and greet meetings.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

How Do We Modernize Compliance?

Times change and compliance, like all businesses and business operations, needs processes that keep up. However, there are a lot of challenges that we as compliance professionals face when it comes to modernizing our practice. Modernizing compliance means adapting or incorporating requirements, adherence methods and technology to align with current times or requirements.

For example, this could mean learning to effectively audit electronic, instead of paper, health records. Many compliance professionals have also had to adapt to working with a remote workforce, such as billing and coding professionals, as formerly onsite staff have been transitioned out, in favor of a contracted workforce for a third-party company.

With these, and many other, challenges in mind, how do we proactively modernize compliance?

Enterprise Risk Management Planning

One way is to ensure compliance is part of the organization’s enterprise risk management (ERM) plan and business strategy. It is commonly, but incorrectly, believed that an ERM plan only involves the risk management department. An effective and comprehensive ERM plan has to include human capital, operational, financial and strategic domains, as well as addressing legal, regulatory and compliance related domains and issues.

For example, HIPAA or cyber breaches involving PII or PHI can have significant risk to the organization, including reputational, regulatory and financial consequences. Evaluating these compliance-related risks should be part of the ERM planning process, as should the development of strategies in the ERM to mitigate or manage these risks.

Compliance and Education Plans

Another way to modernize compliance is to ensure compliance and education plans are informative, yet easy to understand and follow. Gone are the days where the compliance plan can be over 30 pages long and written in a dense format with little white space. Let’s be honest: other than people in the compliance department, most employees won’t read a 30-page regulatory document which consists of nothing but text.

Compliance Plan

The compliance plan should be developed and laid out in an easy to read format. Graphs and other graphical elements should be included to aid in engagement and learning. And, when including the regulatory language, also include a clear, concrete example of how that applies to the employee.

For example, we all know that HIPAA requires staff to maintain patient privacy. While at work, this includes conversations — so we should not be discussing patients or patient information with co-workers in the elevator or bathroom. Similarly, if a person calls asking about a patient, staff must check the registration or admission system to ensure the patient wants their admission shared with callers or visitors.

If you really want your employees to follow the compliance plan, then craft it with that as your intent. Get two to three volunteers from other departments to review and edit the document with you so you ensure you met your goal to educate employees and modernize the compliance plan.

Education Plan

Education plans need to be developed that align with the compliance plan, but also must be informative and fresh. Employees are no longer interested in sitting down for a half-day session of watching PowerPoint presentations. Select annual mandatory compliance education modules that are engaging and can be completed in 10-15 minutes at one time. Ensure the format is varied with some reading, videos and multiple-choice options which enhance learning. Try incorporating in-person education throughout the year so that your co-workers are updated on any compliance policy updates or regulatory changes. But keep the education to around 10 minutes at a time in an easy to understand and engaging format, so employees see compliance as a resource instead of a department that only delivers bad news or wastes their time.

Data Analytics Processes

To modernize compliance, it is also important to create agile and contemporary data analytics processes. We can’t track all healthcare related regulations on paper or spreadsheets anymore. There are simply too many requirements to follow and too many changes to track.

The COVID-19 pandemic is a perfect recent example. Governors from many states were executing executive orders (EO) on a frequent basis to address COVID-19 related matters. These executive orders addressed such topics as whether elective surgery could or could not be performed, what restrictions were lifted with regards to telehealth visits, and what professional licensing requirements were relaxed. For organizations who have facilities in multiple states, tracking EO alone would be an incredible burden in a paper- or spreadsheet-driven department.

And, regardless of EO, there can be compliance issues related to telehealth visits and the ability to bill for those visits. For example, if a provider tries to deliver an annual Medicare visit via telehealth from California for a new patient in Connecticut.

Technology and Automation

It probably goes without saying, but modernizing compliance fundamentally includes incorporating the use of current technology and automation tools to assist with regulatory compliance and education. There are a number of electronic learning systems which automate compliance education assignment and monitoring. These systems allow compliance professionals to assign required annual training, as well as remedial education, by employee type (nurse, doctor, coder, food service, volunteer, therapist, information technologist, etc.).

There are also a variety of internet-based due diligence platforms to ensure potential vendors and contractors are appropriately vetted before the organization does business with them. And, there are many systems available that track regulatory changes and regulatory activity within your organization. There’s no longer a good reason to not explore the options, and see which tools are a good fit for your department and organization.

Practice Tip:

  1. Depending on the size of your organization, get 3-6 volunteers to review and provide input on your compliance plan and compliance education materials.
  2. Evaluate current technology and automation platforms such as youCompli to help meet your organization’s compliance needs.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More