Monthly Archives: April 2018

How Transparency Can Help Compliance

Posted on by

When compliance can be complex, with many decisions occurring behind closed doors, transparency can help ease the process for anyone this affects. And, for any medical organization, the people that can be affected by a breach are widespread. From stakeholders to patients to employees, failure to comply can have far reaching consequences.

For some organizations, such as Griffin Hospital, transparency is about being as forthcoming as possible in the event of a breach. When a former employee was still able to access almost a thousand patient records in 2010, the hospital sought to both investigate the case and immediately inform any patient whose records may have been compromised.

This response, according to Griffin representatives, was their way of enforcing faith in the organization and demonstrating that they are committed to their compliance efforts. It is also a show of good faith to the patients who may have gone unaware of the breach.

However, times have changed, and while Griffin’s response was measured and diplomatic, it does not address the other ways that transparency should be used in tandem with compliance.

Of course, it is preferable for a breach to not happen at all. For any compliance initiative, it is valuable for the entire organization to be aware of what is being done and how these efforts will affect operations. In fact, any regulations that could potentially affect the organization should be elucidated, or at least made available, to its staff members.

The fact is, compliance is an ongoing process that affects how the members of an organization work and manage systems. This can be disruptive, and frustrating if individuals are not aware of the reasoning behind certain changes. This goes hand-in-hand with the idea of educating employees on best practices for compliance, as the first step to doing this should be to expound on the impact of new practices.

For patients, any information about how their private data is shared and distributed should be made available to them. As healthcare systems evolve to become more integrated between organizations, it is important to update patients on how this process will affect them. Any policies and procedures should be clearly disclosed to individuals. While data exchange can allow for a better patient experience, this should not come at the cost of transparency and compliance.

In fact, HIPAA’s Privacy Rule makes this a necessity for a compliant environment. Requirements state that organizations should strive to obtain a signed notice of privacy practices (NPP) explaining how data exchange takes place in a networked environment. The NPP should also appear in an organization’s office and on its website. This document varies by organization, but should include both details on how information will be shared as well as how it is protected.

Compliance is not something that happens behind closed doors. Rather, it’s something that should be public knowledge, both out of good faith and because it helps an organization show that it is committed to safely handling data and other electronic systems. Consider the ways that your organization is communicating with others and audit your compliance plan accordingly.

A Layman’s Guide To Achieving Compliance

Posted on by

As compliance regulations tighten for healthcare organizations, many executives that have allowed these practices to fall by the wayside over the years are reevaluating how they handle data and electronic systems. It may seem like a complicated topic, and that a team of highly-skilled IT professionals are required to achieve compliance, but neither of these things are the case. While compliance can be difficult, often all it takes is hiring an external organization to reach that level. As for complexity, it is possible and indeed vital that top-level leadership in health organizations understands how regulatory compliance will affect them.

Healthcare compliance is evaluated along three axes: legal, ethical, and professional. Standards for all three should be up to date, with policies in place to enforce them throughout an organization. They should focus on procedures that employees need to follow, metrics of success, and ways to monitor possible issues to be corrected.

As far as enforcing compliance goes, a number of agencies are actually responsible, depending on the nature of compliance. The Department of Health and Human Services and the Office for Civil Rights are primarily responsible for monitoring patient records and ensure that they are all protected according to HIPAA standards. In a similar manner, The Centers for Medicare and Medicaid Services address electronic health records as their nature changes and write many of the rules for healthcare compliance. Finally, the Office of the National Coordinator for Health Information Technology moves organizations safely away from paper and toward digital records, encouraging information exchange in a safe and compliant manner. All of these organizations and more have published guides to the best ways to protect data and achieve compliance.

In organizations themselves, everyone is responsible for compliance. However, the burden of educating others and securing an organization’s compliance certifications falls to a compliance officer, often a Chief Compliance Officer (CCO) in a larger organization. Certifications are varied, but the four most common are for healthcare, research, privacy, and ethics. However, just gaining these is not enough—a CCO will have to maintain these standards and become re-certified at regular intervals.

In truth, these certifications are only really helpful for an organization if it has a significant number of them—the four previously listed, at the very least. Each one deals with a different facet of compliance, but the elements of education, reassessment, and discipline common to regulation as a whole are relevant in their own ways.

Another misconception about regulatory compliance is that it is interchangeable with cybersecurity. While it’s true that good cybersecurity is more necessary in healthcare than most other industries, these practices don’t always conform to compliance standards. The reverse is also true—compliance does not necessarily fix vulnerabilities. The same professional should not be responsible for both, as considerations are different and keeping abreast of both is a difficult task. However, both officers should be in frequent contact to ensure that nothing that they are doing adversely affects the other.

And, above all else, executives should not be afraid to solicit outside help! Third-party organizations are often crucial to providing an objective assessment of how an organization can achieve effective compliance. Plans should be scalable and account for future developments, as regulations will always change. However, with good communication and the help of skilled professionals, healthcare organizations can find options that keep stakeholders happy and data handled properly.

Pillars of a Strong Compliance Culture

Posted on by

While professionals in a variety of industries have strived to adapt to changing regulatory standards, getting an entire company on board is a far different matter. Compliance officers have taken it upon themselves to become well-informed about the subject matter and the near-constant barrage of changes that affects it.

That said, a compliance officer trying to single-handedly bring a business up to regulatory standards is akin to trying to extinguish a fire with an eyedropper. Even if one person tries to implement all of the changes necessary, they are, in fact, only one person. Not only does the entire team need to get involved, but the entire team needs to be invested as well. Education is only effective if employees are willing to put operations in practice and audit their own behavior. Getting them to care is perhaps one of the greatest challenges a compliance professional faces.

For any compliance program, the first step to making it relevant is to start a program that has been tested with other industries. While compliance is certainly necessary to obey the law, it also confers other benefits and allows a company to stay competitive. If a firm is able to comply particularly well, it can even strive to obtain a HITRUST certification and distinguish themselves further.

Once a company has established industry best practices, it’s time to look at how personnel are trained to achieve compliance. Training is a good first step, but compliance officers must find a way to engage employees effectively. The good news is that processes that lead to good compliance can also lead to increased productivity for employees. Try to simplify workflows and eliminate tasks that lead to possible compliance issues. Employees will be more supportive of changes if they feel that they benefit from them as well.

And employees should be incentivized for practicing good compliance. Establish both good compliance practices and well-defined rewards for following them. Structure any incentive to fit into the everyday workflow of employees and make them aware of how they can contribute.

Organization is also key. Data should not just be kept safe, it should be sequestered and stratified as needed. Whether digital or traditional, part of compliance culture should cover the way data is handled, backed up, and disposed of. Still, this is something that every employee has to be a part of, from c-suite executives right down to new hires. Don’t start a training program meant to elucidate the finer points of data safety and then not follow it up with anything.

Each employee may need a specialized approach to compliance. While anybody can fall victim to something like a phishing scheme, differences in data access means that a selection of training programs and follow-ups is necessary to cover common issues. Tailoring these initiatives to risk levels helps a company create an experience unique and relevant to everyone.

A skilled compliance officer can change the course of an organization through creating a culture based on compliance. Even as companies scramble to keep up with new regulatory environments, many are realizing that making these changes sooner rather than later can have a lasting impact and generate a significant competitive advantage.