Brenda H. Wade (brenda.wade@inovaare.com) is Chief Compliance Officer and Tom Wagner (tom.wagner@inovaare.com) is Director of Marketing at Inovaare Corporation in Cupertino, CA.
The hidden obstacle to achieving consistent compliance with Centers for Medicare & Medicaid Services (CMS) and state-level regulatory requirements—ever since the Social Security Act[1] gave the secretary authority to require Medicare and Medicaid entities to establish compliance programs in 2010—is getting access to real-time data. Unfortunately, most compliance teams still analyze and react to data through the rearview mirror.
Yes, nearly a decade of fines and penalties have motivated widespread adoption of board-level oversight regarding organizational risk and the implementation of enterprise-wide compliance programs. But the complexity of governance, risk, and compliance (GRC) processes makes maintaining an efficient compliance program a daunting task, especially when data reside across disconnected departments and databases.
The result? Compliance teams continuously chase data to catch up with the realities affecting their healthcare organizations today. Unfortunately, the reality of manually implemented compliance programs is that by the time a report is requested or an audit hits, compliance teams are already late.
Here’s the good news. Several medium and large health plans have implemented real-time compliance technologies that empower their compliance teams to move from being reactive data chasers to acting as proactive GRC process managers who add value to the bottom line by preventing noncompliance before it occurs. These forward-looking health plans transformed their compliance program effectiveness by leveraging big data to deliver continuously compliant results in relative real time.
Cost of manual compliance programs
Why are manual processes so reactive and inefficient? After all, they all should be, and probably are, following the Office of Inspector General and CMS model for success.[2] Wouldn’t complying with these elements ensure that compliance teams can easily generate clean universes and submit error-free reports in a timely manner?
Conceptually, in an ideal world free from external influences, the best practices laid out in these seven fundamental elements are reasonable. On paper, the plans look both comprehensive and preventive.
However, the reality is easily exposed by briefly examining traditional compliance program processes at each fundamental stage. The outcomes, while not surprising, cry out for more efficient solutions.
Written policies and procedures
As we learn through childhood icebreaker exercises like the telephone game, having, in this case, compliance rules dictated from the C-suite and verbally passed down the corporate hierarchy can lead to rather unexpected outcomes. This is why it’s critical to have a formal, written policies-and-procedures document to help promote and sustain CMS and state-level regulatory compliance.
Requiring written policies and procedures seems so intuitive it should be second nature for healthcare organizations. Having well-written documentation does more than set the standard for proper compliance practices; these documents also protect the organization by helping compliance teams to manage and mitigate risk.
However, creating a continuously compliant, enterprise-wide policies-and-procedures document is an arduous undertaking, especially for large healthcare systems with first-tier, downstream, and related (FDR) entities. Many healthcare payers and providers have multiple divisions and departments, and each of them often operate as independent, siloed teams that don’t use standardized tools to create an organized, centralized system of record.
Any change to ever-evolving CMS and state-level regulations requires integrated policy and procedure updates across the entire organization. Given that most healthcare organizations house disparate departments and systems—complicated even more so for those with FDRs—it’s easy to see how compliance programs often fall short, leaving healthcare organizations at risk of stiff fines and other potentially punitive actions for chronic noncompliance.
Compliance officer and compliance committee
By establishing a compliance officer who oversees implementation and maintenance of the compliance program and a diverse compliance committee to advise and assist the compliance officer, healthcare organizations can foster a culture of compliance. For example, the compliance officer can institute a bonus program to incentivize compliance, and penalties can be applied to revoke bonuses for noncompliance.
Unfortunately, manual processes play a role in limiting the effectiveness of compliance officers and their committees, similar to how those processes adversely affect the writing and maintenance of policies and procedures. For example, while the committees—made up of department heads from a broad selection of internal stakeholders—promote collaboration and clearer understanding, disconnected systems and siloed team structures may document policies on different programs, such as Microsoft Word, Excel, PowerPoint, and Access.
As a result, even with effective collaboration at the committee level—involving all the relevant stakeholders—information flows to and from departments where there’s no standard method of collecting, curating, and conveying vital compliance data. Frequently, the data don’t get compiled into a common system of record, if one exists at all, and efforts are often duplicated. This is why compliance should evolve from an oversight function into being designed as a fundamental component embedded within all healthcare software.
Compliance training and education
Continuous training and retraining of corporate officers, managers, and employees are essential to compliance program effectiveness. All stakeholders should attend general compliance training annually, and specialized training sessions need to be customized for stakeholders performing specific functions within the healthcare compliance life cycle.
Few organizations continue to maintain a paper-based, in-person training program these days. However, several sources—such as the American Health Lawyers Association, the Health Care Compliance Association, and the Healthcare Information and Management Systems Society—offer training modules that effectively educate the entire organization on general and specific healthcare compliance fundamentals.
The main challenge for all healthcare compliance training and education programs, whether paper-based, online, or embedded into learning management systems, is keeping up with the regulatory changes. As the regulations evolve, so must the training programs, which often requires the purchase of new, updated modules that incorporate the latest information. This inefficiency not only increases the cost of sustaining continuous education programs, it also means the latest information available to healthcare organizations is also playing catch-up to the realities facing these entities today.
Effective lines of communication
Effective lines of communication improve every aspect of human engagement, whether in our personal or professional lives. For healthcare compliance programs, the better an organization communicates regulatory requirements, the more effectively it can foster an enterprise-wide culture of compliance.
By orchestrating how compliance teams transmit and receive knowledge, healthcare payers and providers can nurture greater interdepartmental collaboration as well as improve the ability to keep pace with regulatory changes.
Yet, the system is only as good as the data being communicated. Even the most sophisticated communication programs can lead to noncompliance if the information communicated is outdated. That’s why access to today’s regulatory data is so critical to compliance program effectiveness.
Internal monitoring and auditing
In 2004, the Health Care Compliance Association and the Association of Healthcare Internal Auditors pooled their expertise and jointly developed the “Seven Components Framework.”[3] The seven components are:
-
Perform a risk assessment and determine the level of risk;
-
Understand laws and regulations governing those areas to be monitored and possibly audited;
-
Obtain and/or establish policies for specific issues and areas, define accountability in the policies, and develop procedures to support the policies;
-
Educate on the policies and procedures and communicate awareness of key requirements;
-
Monitor compliance with the laws, the Joint Commission on Accreditation of Healthcare Organizations guidance, and the organization’s policies and procedures;
-
Audit the highest risk areas; and
-
Re-educate staff on the law, policies and procedures, issues identified in the audit, and corrective actions planned or taken.
By applying this framework to internal auditing and monitoring practices, healthcare organizations will benefit from systematic processes to address and resolve demanding compliance issues.
If these seven components sound redundant, it’s because they are. There is a large degree of overlap contained within this widely accepted framework. Why? Because an effective auditing and monitoring system is like an ECG measuring the beating heart of a healthcare organization’s compliance program.
Therefore, it should come as no surprise that the quality of an auditing and monitoring program is only as good as the data being audited and monitored. If information is inconsistent (e.g., due to differing procedures for the same processes in different departments and incompatible data formats in disparate systems) or negated by a recent regulatory change, the auditing and monitoring program won’t consistently prevent noncompliance across the entire enterprise.
Enforce standards
Enforcing standards largely relies on the quality of an organization’s communications channels. Healthcare entities must publicize and promote disciplinary guidelines that outline the policies and procedures for issues of noncompliance. These policies and procedures may include sanctions for FDR employees and contractors who fail to comply with CMS requirements or even failure to detect noncompliance when due diligence should have provided adequate clues.[4]
Failure to enforce the healthcare organization’s policies and procedures renders the compliance program ineffective. If there are no consequences for noncompliance—intentional and malicious or unintentional—there’s little incentive to advance compliance program effectiveness.
But it’s difficult to enforce standards fairly if the data used to assess standards are outdated. Therefore, healthcare organizations must make every effort to ensure their information is based upon the current environment within which they operate.
Corrective action plans
For a corrective action plan (CAP) to be successful, healthcare organizations must be able to define the causes and effects of noncompliance, as well as develop a management architecture to address and administer the CAP, and the compliance team must approve the approach. Keys to successful mitigation of issues include assigning individuals or teams to minimize a violation’s impact and developing action steps with timelines to resolve the violation.
Each assigned individual or team must then provide progress updates to the compliance team to ensure timely resolution.
For manually administered plans, particularly those within large health plans, executing CAPs successfully is inefficient. Inconsistent information and incompatible data formats get complicated even further when transmitted via nonautomated communication channels.
Most problematic of all, perhaps, is the fact that any plan correcting a compliance violation may be resolving for a regulation that may be outdated. Without real-time data—data that are current as of today—it can be challenging to administer and maintain an effective compliance program. And, especially when it comes to issues regarding overpayment by the government — and the potential criminal violations, when perceived as an intentional attempt to conceal the violation — compliance program effectiveness needs to evolve and embrace automation.
