Catherine Boerner (cboerner@boernerconsultingllc.com) is President of Boerner Consulting, LLC, in New Berlin, WI.
Well-written policies and procedures are the main controls an organization can have in place to maintain compliance with risk areas. If no current well-written policies and procedures explain how to stay in compliance with a risk area, employee turnover exposes the organization to risk over time. Leadership may assume that compliance with a “well-known” law or regulation will not be misinterpreted or not followed; however, if there is no written policy and procedure plus education for new employees who directly carry out compliance with the risk area, then the likelihood of errors increases substantially.
One might argue that policies and procedures are not read, but in reality, if you don’t even have one you are missing the initial step to lay out what compliance means. I like to see policies and procedures specifically reference, as applicable, the actual regulatory citations, Medicare Manual section, etc. By specifically referencing laws and regulations, it allows the review and revision process of the policy and procedure to check if there were changes to the specific law or regulation.
Of course, new employee orientation and annual compliance and HIPAA privacy and security training are also key as an overall safeguard and to maintain awareness of the compliance risk areas. Additional supervisor and manager training are also important to help ensure that supervisors and managers will identify, prevent, detect, and correct noncompliance with applicable laws and regulations.
The compliance officer’s job is to investigate and act on matters related to compliance, including having the flexibility to design and coordinate internal investigations (e.g., responding to reports of problems or suspected violations). Any resulting corrective action should be made with the assistance, where appropriate, of the corporate compliance committee and, as necessary, internal and/or external legal counsel.
I like to refer to the process of raising awareness of compliance risk as putting in place “smoke detectors” throughout the organization so that any potential for noncompliance will be detected and questioned at an early stage, before it turns into a fire. When there is employee turnover and the potential that a smoke detector has been removed, it is important that another one is put in its place. Well-written policies and procedures, specialized compliance training, and monitoring of compliance risk areas help mitigate compliance risk.