An overview of the basics for organizations and providers.
By Michael L. Smith, R.R.T., J.D.
Healthcare compliance affects every type of healthcare provider and healthcare organization from the solo practitioner to the largest global healthcare conglomerate. For some, healthcare compliance is viewed as an unnecessary governmental intrusion and the imposition of unneeded oversight on overworked, underpaid, and underappreciated people that are devoting their lives to helping others. For others, healthcare compliance is seen as a means to improve the quality and availability of healthcare while controlling the costs of that healthcare.
Governmental oversight and regulation of healthcare will never be eliminated entirely. In fact, governmental regulation and oversight will increase, at least in the near future, as the government agencies and other third-party payers implement more quality-based requirements.
The purpose of this examination of healthcare compliance is to provide an overview of the basics of healthcare compliance for organizations and providers. Essentially, this examination will attempt to explore the who, what, when, where, and why of healthcare compliance.
Who Is Responsible For Healthcare Compliance? The governing body of a healthcare organization is responsible for the conduct of the organization. Consequently, the governing body and the executive officers of the healthcare organization will bear the ultimate responsibility for a healthcare organization's compliance, or lack of compliance. The organization's governing body is responsible for directing the organization's administrators to develop and implement the organization's compliance program, as well as, authorizing funds to accomplish the task. The governing body must rely upon the individuals in the healthcare organization to accomplish the organization's goals including its compliance goals. The governing body will be required to rely upon the compliance officer and the compliance committee to develop and implement the compliance program. While the governing body, the compliance officer, and the compliance committees have primary responsibility for the organization's compliance program, every employee of a the organization is responsible in their own way for healthcare compliance, and the success of the compliance program. The individual members of the organization can and should report any healthcare compliance concerns they have up the chain of command. Those individual members of the organization should not only communicate concerns within their individual areas of responsibility, but they should also report anything that appears out of the ordinary, unusual or questionable. Every individual in the healthcare organization is responsible for the success of the compliance program because failures in the compliance program can impact every member of the organization. The imposition of sanctions in the millions of dollars is common, and even large organizations are affected by those sanctions.
What Is Healthcare Compliance? Healthcare compliance is the ongoing process of meeting, or exceeding the legal, ethical, and professional standards applicable to a particular healthcare organization or provider. Healthcare compliance requires healthcare organizations and providers to develop effective processes, policies, and procedures to define appropriate conduct, train the organization's staff, and then monitor the adherence to the processes, policies, and procedures. Healthcare compliance covers numerous areas including, but not limited to, patient care, billing, reimbursement, managed care contracting, OSHA, Joint Commission on Accreditation of Healthcare Organizations, and HIPAA privacy and security to name a few. Healthcare compliance is not a new concept. One of the earliest forms of healthcare compliance was the establishment of minimum standards for surgery facilities by the American College of Surgeons in 1918. Today, the volume of regulations applicable to healthcare organizations and providers requires they have dedicated team members specifically focused on healthcare compliance. Each of the government agencies that regulate healthcare approaches its regulatory framework based upon its own area of control. For example, the Drug Enforcement Administration (DEA) is charged with enforcing the laws regarding controlled substances. The DEA's healthcare compliance is understandably directed toward ensuring that controlled substances are only used appropriately. The Department of Health and Human Services (HHS) Office of Inspector General (OIG) is focused on protecting the federal healthcare programs from fraud, abuse and waste. The OIG has published some of the most comprehensive guidance for healthcare organizations on the elements of an effective healthcare compliance program. According to the OIG, an effective healthcare compliance program must, at the very least, address the following seven areas:
1. The development, distribution and implementation of written standards of conduct and written policies and procedures that describe and further the organization's commitment to meeting and exceeding the legal and ethical standards applicable to the organization;The OIG's compliance guidance is focused on eliminating fraud, abuse and waste. The OIG's guidance is useful, but an effective healthcare compliance program must also address the other regulatory compliance areas applicable to the healthcare organization or provider. Every healthcare organization and provider deals with confidential health information. Consequently, every healthcare organization and provider will also need to include compliance with the Health Insurance Portability and Accountability Act (HIPAA) as part of its compliance program. The HHS Office of Civil Rights (OCR) is charged with implementing and enforcing the HIPAA privacy and security rules, and it has provided volumes of guidance on compliance with those rules. So healthcare compliance is the ongoing process of meeting, or exceeding all the legal, ethical, and professional standards applicable to an organization or provider. As the regulations applicable to the healthcare organization change so must its compliance program. When Is Healthcare Compliance Required? Every healthcare organization and provider needs a compliance program immediately. In fact, every healthcare organization and provider should have already established a healthcare compliance program. A large healthcare organization must have a comprehensive compliance program involving numerous individuals from multiple disciplines. Some large hospital systems have compliance departments that include hundreds of individuals. A solo practice physician may not need an extensive compliance department, but that physician will need a compliance program just the same. Healthcare compliance is also an ongoing process. A healthcare organization must constantly review and examine its processes and performance for adherence to minimal requirements as established by laws, regulations and professional standards. A healthcare organization must routinely audit its performance to ensure that it is meeting its requirements. Federal and state healthcare laws and regulations change constantly and the interpretation of those laws and regulations changes just as frequently. Effective healthcare compliance must be an ongoing process of continually reviewing and updating the processes, policies and procedures of the organization. The organization also must continually update the training provided to its employees based upon changes in the regulations. Where Are The Healthcare Compliance Requirements? Every healthcare organization and provider needs to identify all the laws and regulations that apply to their specific organization. The federal laws applicable to healthcare are extensive and are implemented by multiple federal agencies. As discussed above, HHS is responsible for the Medicare, Medicaid, and the other federal healthcare programs, as well as, the HIPAA privacy and security rules. Most healthcare organizations and providers are also subject to the regulatory framework of the Food and Drug Administration, the DEA, and numerous other state and federal agencies. Each of these governmental agencies issues rules and regulations that interpret the laws those agencies are charged with implementing. Each state has its own overlapping set of laws and rules applicable to healthcare. Some mirror the federal laws while others differ significantly. Healthcare organizations and providers are required to comply with both sets of laws and regulations simultaneously. Large healthcare organizations that have operations in multiple states often have different requirements between their facilities based upon the state law applicable to a particular facility. Due to the volume and complexity of this regulatory framework, most healthcare organizations and providers must rely upon specialists in healthcare compliance to develop, implement and update their compliance programs. A large healthcare organization can have hundreds of people working under its chief compliance officer.
2. The designation of a chief compliance officer and other appropriate committees and individuals that are responsible for operating and monitoring the compliance program and who report directly to the organization's chief executive officer and the governing body;
3. The development and delivery of effective employee education and training programs;
4. The development and maintenance of effective lines of communication that allow individuals to report compliance concerns without retaliation, including the ability to anonymously report concerns and complaints;
5. The development and implementation of a process to respond to complaints that includes the imposition of appropriate corrective action including discipline of employees when required;
6. The use of internal monitoring and audits to measure compliance and address known deficiencies; and
7. Responding appropriately and quickly to detected offenses and implementing corrective action.
Why Is Healthcare Compliance Important? Ultimately, the purpose and primary benefit of healthcare compliance is to improve patient care. Patient care is improved when healthcare decisions are based upon appropriate and current clinical standards. Patient care decisions based upon improper motives rarely results in the delivery of quality care. Healthcare compliance also aids healthcare organizations and providers in avoiding trouble with government authorities. An effective healthcare compliance program can identify problems and find solutions to those problems before a government agency finds the problem. An effective healthcare compliance program can also mitigate against the imposition of sanctions, or financial penalties that might otherwise be imposed on the healthcare organization or provider. A review of the recent OCR settlements for HIPAA breaches shows that the OCR imposes higher fines when the healthcare organization had not developed and implemented effective HIPAA compliance. A large number of healthcare organizations and providers have self-disclosed matters identified through their compliance programs to government agencies. The penalties imposed upon those self-disclosing organization and providers were far less than the penalties and other sanctions imposed on organizations and providers that were prosecuted for their misconduct. An effective compliance program can also help a healthcare organization or provider avoid liability for malpractice. A consistent theme in healthcare compliance is documentation that the organization or provider is following current clinical standards. A healthcare organization or provider that is following best clinical practices is less likely to be the subject of a malpractice claim. Challenges For Organizations and ProvidersIt is nearly impossible to overstate the complexity of healthcare compliance. The avalanche of laws, rules, regulations and standards that apply to healthcare organizations and healthcare providers is daunting. Many people consider the Internal Revenue Service code to be an overwhelming mass of overly complex laws, rules and regulations. The laws and rules applicable to healthcare organizations and providers are far more numerous than the IRS code, and significantly more complicated. Healthcare organizations and providers are not only required to comply with the Medicare rules and regulations, but they are also required to comply with numerous other federal and state healthcare laws, rules and regulations. Healthcare organizations and providers must also comply with all the regulations that apply to non-healthcare businesses such as the regulations of the Occupational Safety and Health Administration (OSHA), and the Equal Employment Opportunity Commission (EEOC) to name two. Healthcare organizations and providers need an individual, or individuals, that can assist them in the development, implementation, and management of an effective healthcare compliance program. The chief compliance officer is the point person that makes sure the healthcare compliance program is kept current, including all the policies and procedures that are part of the compliance program. In a large healthcare organization that job cannot be accomplished by a single individual. Large organizations will require multiple individuals, and whole departments devoted to healthcare compliance. Healthcare compliance is cumbersome, perhaps overly cumbersome, but it is here to stay. Michael L. Smith is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.