With the U.S. Department of Health and Human Services (HSS) Office for Civil Rights (OCR) preparing to audit about 400 healthcare providers in 2015, what can you do to be ready?
Whether your organization has been prepared for months or you’re just getting started, there’s no time to panic or toss in the towel (if your compliance program doesn’t seem up-to-speed yet).
OCR focuses on a few main HIPAA violations, including: failure to conduct risk evaluations of data breaches, ignoring security threats to PHI and poor training of staff in how to protect PHI, according to a recent TechTarget article.
To ensure you’ve addressed the above concerns, hospital compliance officers should keep in mind the seven basic elements of an effective compliance program:
- Corporate Compliance Program
- Code of Conduct or Ethics
- Training, Acknowledgement and Corrective Action Plans
- Disaster Recovery Plan
These policies and procedures should apply to all employees, volunteers, staff members, hospital management and departments. When creating them, keep in mind your organization’s mission or value statement and core values, as well as applicable laws and regulations. Policies and procedures should not just be written when reacting to an incident, but they should be created proactively and in a forward-thinking manner.
Take this time to involve and engage hospital management and staff — get their input on policies and procedures, as well as how changes should be implemented — to gain buy-in and build a stronger culture of compliance. Policies and procedures should also be revisited and updated on a regular basis to ensure they’re kept up-to-date with the latest regulations and in-line with your corporate culture as your organization evolves.
Determine who will head the compliance program and who will sit on the committees. Establish the members’ individual roles versus their responsibilities as a group, as well as how often they will meet, what they will discuss and how their meeting discussions will be shared. Detail how they should be communicated with and how they will work together to work toward the compliance program’s overall goals.
A foolproof compliance program, complete with step-by-step documentation, is useless if your staff knows nothing about it. Remember the three keys to effective policy and procedure management are:access, education and enforcement.
When new employees start, who will train them and when will they be trained? Will they receive paper documentation, and is there an online system where they can access policies as well? When they have questions, who do they ask or where do they look? Will employees be tested on whether they’ve read and understood policies and procedures, and will they receive refresher training or follow-up tests? Who will be in charge of ensuring employees are trained and acknowledge that they’ve read policies in a timely manner?
Moreover, what sort of management system will you develop to manage these processes and ensure a task doesn’t slip through the cracks? You’ll need a system that can handle a large number of documents, and distributes policies and procedures to the right employees through workflows — and sends them auto-notifications when a new policy is ready for them to review. Employees should be able to easily find the policies they need within the system, which should also offer acknowledgement and employee testing capabilities.
Embedded in your corporate culture should be openness — the ability to communicate compliance issues without fear of retaliation. Staff members should be able to ask for clarification when they’re unsure about a policy, procedure or potential compliance violation. The means for communicating — and to who issues should be communicated — should also be detailed in your policies and procedures, and readily accessible to your employees.
Outline a plan on how you intend to enforce the compliance program, starting with how you will distribute and train your employees on the policies and procedures. Along the points addressed in #3, a policy management system can support this effort by automatically sending notifications to your employees when a new policy has been published and asking them to acknowledge that they’ve received and understood the policy. From there, establish what actions will be taken should employees not adhere to the compliance program.
Just like you visit the doctor for annual check-ups, your compliance program should be regularly audited to check up on its relevance and effectiveness. Determine how frequently your organization should undergo these audits, and create a follow-up plan for next steps after an audit has been completed. How will issues that popped up during the audit be addressed, and in what timeframe?
Stay ahead by relying on an automated system to remind you when policies are due to be updated, renew, expire or be retired. Be sure the corporate compliance officer and compliance committees have access to the system, too, so they can easily view all documents necessary to carry out compliance functions and for auditing purposes.