Why you should move compliance into the top five issues in your organization’s strategic plan.

By Clay B. Wortham

Strategic planning is more important than ever before for today’s successful healthcare organizations of all sizes. Establishing a plan that addresses rising external costs, reduces internal costs and maintains an effective workforce is at the top of the list for many organizations.

Too often, however, strategic planning to ensure compliance with increasing regulatory pressures and to minimize compliance risk is a topic pushed to the back of the strategic plan or left off entirely because compliance is perceived as a risk-reduction effort and not directly tied to driving profitability.

And it’s no wonder that compliance can be overlooked; after all, management teams are busy, there are agreements to be made, complaints to be handled and products and services to be sold. In smaller organizations, organizational leaders may need to serve patients as well. Logically, however, compliance should be near the top of the list for every strategic plan. After all, what’s the point of a dynamite strategic plan if in the end the organization must repay the profits in fines and penalties? Like insurance, an effective compliance plan can help an organization capitalize on its success.

We all know that the “I’ll worry about compliance later” mentality can have grave consequences. For example, in December 2013 Adult & Pediatric Dermatology, P.C. of Concord, Mass. was the first to reach a settlement with the U.S. Department of Health and Human Services Office of Civil Rights (OCR) for not having policies and procedures in place to address the breach notification provisions of the HITECH Act. The settlement resulted in a $150,000 penalty and a corrective action plan, not to mention the accompanying reputational harm to the business.

Five Key Areas
Insulate your organization from compliance risk. Move compliance into the top five issues in your organization’s strategic plan. Compliance is not particularly difficult, but it can make your business a lot more profitable in the long run.

Start by setting aside an hour for your management team to address obvious compliance risks and how to best address them. Within a relatively short time, a responsible person can be designated, timetables can be created and policies and training conducted and documented.

If your organization is looking for a starting point, begin by addressing these five areas:

1. A HIPAA Risk Assessment
A HIPAA risk assessment is an investigation and analysis of potential risks of unauthorized use or disclosure of patient health information. There’s nothing magical about it. Identify areas where health information is stored. Who has access to it? What steps need to be addressed to ensure that keys, passcodes and other restrictions are in place and updated regularly so that only people who should have access to the information do? Do employees know about these rules?

A HIPAA risk assessment is not optional; covered entities, and now business associates, are required to conduct one and should update it annually.

The HIPAA Omnibus Rule, effective September 23, 2013, brought sweeping changes to the HIPAA rules. If your organization has yet to create or update its HIPAA risk assessment in the wake of the Omnibus Rule, here are two items that require immediate attention:

Notice of Privacy Practices
All Notice of Privacy Practices (NPPs) should be revised to include statements addressing the following:

• Uses and/or disclosures of patient information for marketing purposes, fundraising communications and the prohibition on the sale of such information without an authorization.
• Patients who pay out-of-pocket for a healthcare service have the right to restrict disclosures to their health plan.
• Breach notification policy.

Covered entities are required to post the revised NPP and make copies available at their office to all new patients and to anyone else on request. If the covered entity maintains a web site, the NPP should be posted there as well.

Business Associate Agreements
The Omnibus Rule expanded the definition of business associate (BA) to include subcontractors of existing business associates, and makes business associates directly responsible for compliance with HIPAA requirements. It also affirms that covered entities are liable for penalties for the failure of a business associate subcontractor to perform a function on the covered entity’s behalf. As a result, existing BA agreements should be reviewed and potentially revised to incorporate new requirements and impose those
requirements on BA subcontractors.

2. Employee Trainings
Training for new employees is a must; in addition, there should be periodic refresher courses for current employees on policies and procedures and applicable regulations.

For instance, how will employees be compliant with the HIPAA Omnibus Rule mentioned above unless the organization sets aside time to make this a priority? It is the organization’s responsibility to educate and promote an atmosphere of learning. Effective employee training is time well spent; it not only helps to improve compliance, but can be an opportunity to discuss cost-reduction measures, personnel issues and patient service.

Employee training should always be documented. Record who attends trainings and keep a copy of the materials that were disseminated for the training. Regulatory agencies will consider what efforts have been made to train employees on best practices and the law in the event of an audit or investigation.

3. Using EHRs Effectively
The Medicare and Medicaid EHR Incentive Programs are proof that strategic planning and compliance efforts offer significant rewards. By using EHRs effectively, providers can receive valuable financial incentives.

Compliance is important in the Meaningful Use context because the Centers for Medicare and Medicaid Services conduct Meaningful Use attestation audits to ensure compliance with the program’s requirements. Although only a small percentage of providers will be subject to a Meaningful Use attestation audit, the stakes are high — a single attestation misstep could be grounds for loss of the full incentive payment. Could your organization survive a Meaningful Use audit?

Strategic planning for Meaningful Use compliance involves documented staff training on the appropriate use of the EHR technology and working closely with your EHR vendor to ensure that the tool you are using satisfies legal requirements and can be used effectively day-to-day.

4. Vendor and Provider Arrangements
Service argreements, supply agreements and other vendor agreements are essential for any healthcare business. Agreements should be reviewed periodically to determine whether the agreements are current and comply with applicable laws, including fraud and abuse requirements such as anti-kickback safe harbors and Stark law exceptions. Business Associate Agreements should be evaluated as discussed above. The exclusion database should be monitored periodically to ensure that vendors are not on the excluded provider list.

5. Billing Compliance
From patient check-in to final bill collection, billing compliance is a team effort. Billing technology has improved the process greatly, but there is always room for error—or worse—fraud and abuse. Noncompliance with billing regulations can lead to nonpayment (not good for business), overpayments, and prosecution under the False Claims Act (which can all mean the end of a business).

Strategic planning for billing compliance means documented employee training and fostering an environment that encourages employees to identify issues and report problems. Establishing a billing audit program to periodically double-check a sampling of claims for billing errors can help to identify errors before they result in significant liability.

Protect your business and position the organization to capitalize on its success. Move compliance into the top five issues for your organization’s strategic plan.

Clay B. Wortham is an associate in the health law group of McBrayer, McGinnis, Leslie & Kirkland, PLLC.