Rob E. Foster (firstname.lastname@example.org) is Assistant Director of Compliance/ECO/FPO at Parallon in Nashville, TN.
At various national or local healthcare and/or compliance conferences, we often hear about the latest hot topics and industry trends. I always think to myself, “How would a new compliance professional build and monitor an effective compliance program?”
I would venture to say that most, if not all, compliance professionals did not think they would have a career in compliance. Personally, I never went to bed thinking, “Boy, I can’t wait to develop a set of standards for a full-service revenue cycle company.” However, I’m fortunate enough to be in a position and work for a company that I love. If I could go back more than a decade ago and give myself—or any new compliance professional—some tips, what would they look like? Can one really simplify compliance? What would my building blocks be?
An effective compliance program is made up of several foundational components. Depending on the company size, these components may be managed by different departments. In the case of Parallon, our dedicated compliance department manages all of these aspects.
Compliance operations refer to all the various tasks and responsibilities assigned to a compliance professional or program to oversee and monitor. This would include any area of the organization governed by a state or federal law, internal policies and procedures, or the company’s code of conduct.
Part of overseeing compliance operations means working in tandem with nearly every department within the organization. This work includes advising leadership, consulting, training employees, investigating potential violations, and mitigating identified risks. It also includes proactively auditing operational activities to guarantee compliance with the policies and procedures. Compliance professionals should think of themselves as a firewall, not firefighters.
As I pointed out before, depending on the company size, a compliance department may be one element of a larger operational group. Although it is not always possible, I strongly believe that compliance needs to maintain a separation of responsibility that could be considered operational in nature. Providing audit oversight for a program in which one also shares or directly manages daily operational responsibilities presents new challenges or gives off the perception of a conflict of interest. Remember, one can’t grade their own paper.
Compliance programs should ensure that they are conducting onsite privacy rounding at least every month. In today’s world of remote workforces, it’s very possible for compliance personnel to not be in the same building as the hospital or business office. Even so, conducting an in-person or virtual audit or tour of the facility is the best practice.
Additionally, the compliance department needs to establish a notification procedure for any and all types of privacy incidents. In short, if a patient’s protected health information or personally identifiable information is compromised in any way, compliance should be the first to know. There is no limit to the number of notification tools in the marketplace. However, the way the notifications are received does not have to be complex. Some examples are SharePoint applications, a dedicated email box monitored by compliance, or a physical mailbox outside of the compliance professional’s office. Either way, as soon as a privacy incident occurs, the clock starts ticking. The faster a compliance team can review and assess the incident, the faster it can be mitigated and closed.
As a compliance professional, you will inevitably deal with your share of ethics concerns. An ethics concern can originate in many different ways but most often includes the behavior of an individual within your organization that violates the company’s code of conduct. A strong ethics program comprises several key elements: confidentiality, comprehensive investigative process, unbiased review, collaboration with key personnel, and a strong understanding of the company’s code of conduct.
Within our organization, we often talk about building a culture of compliance. For us, this means that compliance goes above and beyond adherence to state and federal regulations and our internal policies and procedures. A culture of compliance means doing the right thing every time. The ethics program plays a key role in supporting and enforcing standards of behavior detailed in the code of conduct.
Are you familiar with your company’s code of conduct? Do you even have one? It’s important that your code of conduct be reviewed not only with new hires, but with existing staff on an annual basis. How can you hold someone responsible for upholding your core values if you do not take the time to talk to your employees about them?
Employees should have several avenues for reporting concerns. The best course of action for reporting concerns is notification through the progressive levels of management. This means an employee should first report potential concerns to their supervisor or manager. Recognizing that employees may have concerns that involve their direct supervisor/manager, employees should be encouraged to present their concerns to other members of leadership (e.g., senior managers, directors). Seasoned compliance professionals are acutely aware that many complaints involve some aspects of human resource challenges such as manager-subordinate or other work relationships. It is always advisable to work closely with HR leadership in reviewing and resolving these cases. Additionally, there may be cases where employees wish to report potential concerns to a third party. Effective compliance programs provide the means for employees to contact a compliance hotline (800 number) to report their concerns. This method allows employees the option to report anonymously. Finally, a good compliance professional should always be available to speak with employees regarding their concerns and to provide timely follow-up in response to those concerns. In any case, employees should feel confident reporting concerns without the fear of retaliation.
When reviewing ethics or compliance cases, it’s important that the compliance professional or designee reviews each report objectively, considering all the details provided. To conclude an effective ethics investigation, a compliance professional must take the time to understand the issue and formulate a strategy to determine whether the concern is valid. The crux of such investigation involves interviewing named parties and determining whether these interviews should be face-to-face. Conversations should be clearly documented, and a final report should include key details of the investigation, such as the names of parties interviewed and a summary of the discussion with each person. The compliance professional should include a summary of findings and a recommendation for next steps, such as corrective action, sanctions, request to close the case as unsubstantiated, etc. Finally, they have to make sure to follow up with the complainant regarding the outcome of the investigation. This is key to ensuring the integrity of the investigative process and maintaining trust with employees.
Regulatory landscape monitoring and implementation
If you have been in compliance for longer than a day, you are keenly aware that the regulations can change almost daily. Compliance professionals should perform a yearly review of any laws and regulations with oversight of the organization’s practices. It is imperative that they take the time to understand the regulatory challenges present within their industries.
There are many resources available to assist them with staying up to date on the latest legislative activities, such as Centers for Medicare & Medicaid Services’ publications, notice of proposed rulemaking, industry trade groups, state hospital associations, etc.
Policies and procedures
A key tenet of an effective compliance program is the presence of robust policies and procedures. As you develop your company’s compliance program, consider what internal processes are documented in a standard policy and procedure format/template. It is not uncommon to identify areas within the organization that would benefit from a detailed policy and procedure. Policies and procedures are useful for setting operational and behavioral expectations and can be viewed as guardrails within the organization to keep trouble at bay. Your policies and procedures should follow a standard template format to include sections such as Title, Scope, Purpose, Policy, Procedure, and References. Compliance should hold a seat at the table when polices are drafted and should have oversight, advisement, authorship, and implementation roles in this process.
Compliance should partner with the company’s education leader(s) to draft any compliance education notifications sent out to employees. Additionally, they should work with the education department to monitor any changes or updates that are needed for existing training materials. Compliance should play a role in the development of compliance-related training content assigned to employees.
Compliance professionals must have strong relational capacity. This does not mean that they need to win a congeniality contest. However, building strong relationships with company leadership is paramount to overall success. They need to build the type of relationship that allows senior leadership to trust and count on them as dedicated partners. Senior leaders need to think of them when a question arises.
Furthermore, employees should feel comfortable bringing concerns, complaints, or questions to their attention. Compliance professionals should spend time visiting, speaking, and otherwise building rapport with every department in the organization.