Sheila Limmroth, Privacy Officer and Legal Services Specialist, DCH Health System, Tuscaloosa, AL
GZ: Thanks for taking the time to be interviewed for Compliance Today. You started your career in public accounting with an accounting degree. Did you have any inkling as an accounting student that compliance would ever be in your future? What were your career aspirations upon graduating from the University of Alabama?
SL: My exposure to healthcare actually began in ninth grade. The University of Alabama College of Community Health Sciences received a grant from the Josiah Macy Jr. Foundation at that time. The Josiah Macy Jr. Foundation has worked since 1930 to improve healthcare in the United States. The grant permitted development of a program named BioPrep. It was a joint effort of the College of Community Health Sciences and area high schools. The overarching purpose was to expose students in rural communities to the medical field with the hope that students would choose a healthcare career and return to practice in a rural community. At least four high schools participated in this opportunity, including my school.
As a BioPrep student, I committed summers to the BioPrep program and lived in a dorm at the University of Alabama each summer. University of Alabama professors and our high school teachers expanded our knowledge in math and science with an emphasis on the healthcare system. I remember one summer learning to solve problems utilizing Venn diagrams while some of my friends were at the movies, and being envious. The program, however, also focused on our community and involved activities such as camping and hiking trips into Alabama’s Bankhead National Forest. The program fostered a love for our community and Alabama as a home. Our academics during the school year were tailored as well so, at a very young age, my life became about the healthcare delivery system in the United States. Students who remained in the program and met grade requirements graduated high school with a full academic scholarship to the University of Alabama. I continue to be grateful to the Josiah Macy Jr. Foundation for the opportunity that was provided to me. Although I chose to use my scholarship to study accounting, I always knew I would end up in the medical field, even if it was on the periphery.
As an accounting student in the late 80s, my singular focus was on being hired by a national public accounting firm. This goal was influenced by my accounting professors and two brothers who were both CPAs at national firms. My first assignments at Ernst & Young involved a health system and a software development and services company that provide enterprise engineering and geospatially powered software to businesses, governments, and organizations around the world. I realized I thoroughly enjoyed healthcare and the feeling that, although I was not clinically trained, I was adding value to the industry and hence the patient’s experience.
Looking back, I do not recall discussions in college related to internal audit or compliance. My desire to become an internal auditor developed from discussions with internal auditors at medical centers where I was assigned to perform cost report analysis and audit fieldwork. The family atmosphere at many of my assignments and the desire by the auditors to make a difference at their institutions inspired me to pursue internal audit as my profession.
In the late 90s, I became aware of compliance as a career when I read a 4–6 page newsletter, which I now realize was the precursor to HCCA’s Compliance Today publication. This newsletter was on our general counsel’s desk, and I remember we started a dialogue about compliance that day that planted a seed in my mind.
GZ: After many years in the internal audit function, you then had compliance added to your responsibilities. What led to this development?
SL: In 2010, I was the corporate director of internal audit for our healthcare system. The Board Audit & Corporate Compliance Committee had previously approved an independent assessment of the internal audit function. Although we are tax exempt and operate as a Health Care Authority licensed by the Alabama Department of Public Health as a public hospital, we wanted to determine what parts of Sarbanes-Oxley we wanted to adopt as best practices at our facility as part of the internal audit assessment. During 2010, the Board Audit & Corporate Compliance Committee requested an independent assessment of the existing compliance function. Since an independent assessment had already been performed of the internal audit function, this was a natural by-product of the internal audit assessment. As a result of the external compliance assessment, the structure/foundation of the compliance function changed. Compliance was moved to the internal audit department. This change permitted greater independence, because the compliance function had resided in an operational department. Resources were added once the two departments were combined. Our focus in 2010 was operationalizing a combined function while growing the compliance portion. I served as the corporate director of Internal Audit & Compliance from 2010 to 2016. During those years I was also given responsibility for HIPAA Privacy while HIPAA Security continued to reside in the Information Systems department.
GZ: As someone who has successfully transitioned from a non-compliance role into compliance, what advice do you have for others who are considering such a switch? What were the keys to you successfully shifting into compliance in addition to internal audit?
SL: The key to successfully shifting into a compliance role was the support I received from the C-suite and the board. This support included a budget for compliance education and additional staff to support the function. My advice for anyone considering a dual role or transitioning to a compliance role is to determine the type of support you will be given. You need financial support for the function to include not just funding for staffing and education, as previously mentioned, but also funding for software needs as well as legal and consulting fees. In addition to the financial support, you need support in that the C-suite and the board understand the purpose and the necessity of the function. It truly is about the “tone at the top.” Without the support at the top of the organization, the program will have difficulty being successful. Both the financial support and support of the function led to my success at DCH Health System in the compliance officer role.
Another key to success is relationship building. Build relationships with as many employees across the organization as possible. As the compliance officer, I always had access to the C-suite. Compliance, risk management, and general counsel always worked well together and continue to do so today. I also focused on hearing what employees who performed the job had to say. My motto, which I picked up from working for my husband at his business, has always been to “listen to the people who do the job, because they know the job best.” Relationship building is vital to the compliance function. There is no assignment that a compliance professional can do that is completely independent of someone else. One of a compliance officer’s greatest assets is the relationship built on mutual respect and trust within the organization.
GZ: For the past three years you have served as privacy officer, a highly specialized area of compliance. What were some of your initial challenges that you faced in this role and how did you address them to prepare yourself for the role?
SL: Prior to being the privacy officer, I supervised the function. We all change over time, and I realized that I was envious of the function I supervised. I wanted to have time to dig my heels into the function, but I had to rely upon my privacy manager at the time, because I had to spread my hours among compliance, privacy, and internal audit. When the privacy manager left the organization after tremendous work at DCH, I realized I wanted the opportunity, at this point in my career, to step into a role that not only permitted greater work/life balance but also challenged me and allowed me to feel a greater connection to our patient population.
Some of my initial challenges were dealing with the gray area that I struggled with during the early years in compliance. Internal audit is much more black and white on a daily basis. When I became the compliance officer, the vice president of legal services advised me to not let the gray eat me alive. It was some of the best advice I have ever been given. Her point was that I needed to sit back and think about a scenario, the likelihood of the best outcome, the likelihood of the worst outcome, and the probable outcome. When you take time to do this, it has a calming effect. As compliance or privacy professionals, we do not want to find ourselves being labeled “chicken little.” We have to realize that once we identify and report the risks, we have to allow the C-suite to do their analysis of risk tolerance. Everyone’s risk appetite may not be the same, and it does not mean one person is right and one person is wrong.
Just as the Association of Healthcare Internal Auditors (AHIA) has been the foundation for my success as a certified internal auditor, I found the HIPAA communities hosted by HCCA of profound educational benefit. The HIPAA online communities are very active, and have permitted me to learn from other organizations and to delve into the nuances of HIPAA. There is no substitute for having a peer group where you can “compare and contrast” how you operate within your profession. I state “compare and contrast” with emphasis, because one of the frequent Listserv posters and educators, Frank Ruelas, continually challenges us to compare and contrast how we handle situations at our facilities and share our experiences.
Another challenge for me was building relationships with certain segments where relationships did not exist—physicians and patients being two groups that come to mind. Even though I remained at the same organization, taking on the role of the privacy officer was like starting over. Relationship building never stops, no matter how long you have been at a job. You have to work daily at developing relationships or you become complacent and your position becomes irrelevant.
GZ: You have done something that is becoming rarer all the time. You’ve spent more than 25 years with one organization. I’m sure not every day has been great. When you’ve had those moments of frustration, what is it that led to your decision to stay?
SL: Sometimes it is hard to believe that I am in my 27th year at DCH. You are correct, there have been some bad days and some do-overs I would like to have, but my decision to stay has always been based on making an annual list of positives and negatives. The positives have always outweighed the negatives. I think anyone owes it to themselves to perform such an inventory. Some of the positives on my list are:
Function is respected and receives support
Corporate mission and vision fits my personal ideals
In today’s environment, it is rare that someone stays with an employer for five years or ten years. Some will perceive my career choice as a negative. I know some recruiters see it as an individual who becomes used to the status quo and does not function well in changing environments. Each person has to do what is best for them. For me, the ability to start as a staff auditor and work up to the corporate director of internal audit and compliance was challenging, and each step resulted in growth as additional responsibilities were added, without having to sacrifice family and community. The switch to HIPAA Privacy resulted in a different focus with new professional contacts. Even as the HIPAA privacy officer, I have been given short-terms projects, including working on human subject research compliance and working with a team to re-develop our patient grievance and complaint process. I do not think those challenges would be so readily available if I were functioning as a newly hired privacy officer at another facility. I believe the choice to change your job should be based on your personal goals and where you see yourself during each period of your life. My choice has worked well for me and left me with a satisfying career.
GZ: Privacy is one of the most significant and rapidly changing categories of risk for a healthcare organization. How have recent developments in this risk area affected your department’s work and the organization in general?
SL: I attended the HCCA Compliance Institute in March and I listened to a HIPAA update given by an Office for Civil Rights (OCR) representative. When the floor was opened up to questions by the audience, I was struck by the risks at other organizations being the same as those I struggle with on a daily basis. The risks include those associated with social media, cellphone technology, and advancements in technology. As the OCR representative acknowledged that she could not answer one of the questions but would have to take it back to her supervisors, I realized how desperately our industry needs HIPAA to change. We are faced every day with nuances that perhaps HIPAA (written in 1996 with the addition of the Privacy Rule in 2003) needs to be updated in order to address. One of the questions that stood out to me was: What do organizations do when they hire law enforcement to provide security for the emergency room and the officers are required to keep their body cameras on while performing security duties? How does the body camera and patient privacy co-exist? How does healthcare handle all of the evolving technology, including healthcare apps and downloading health information to these apps? Technology innovation is occurring at a rapid pace but, as privacy officers and security officers, we are charged with fitting the privacy and security questions within the confines of a law that has not changed in around 20 years. I look forward to updated technical guidance from the OCR to help us address the changing technological risks within the privacy and security landscape.
GZ: At this year’s Compliance Institute in Boston, you co-presented a session on patient grievance systems, and how responding to patient grievances can pose compliance risks. What were some of the key takeaways from that session?
SL: Some of the key messages in that session include:
Know what the grievance process is in your organization. You do not have to audit every single process within your organization, but ask enough questions that you are able to assess whether risks exist for that particular area. My co-presenter, Susan Thomas, and I provided a detailed checklist for assessing the patient complaint and grievance process.
Understand the Medicare Conditions of Participation (CoPs) surrounding the grievance process, and verify that your organization’s policy matches the CoPs.
Ensure you have a functioning grievance committee and review some of the metrics reported to the committee.
Ensure that those handling grievances from family members and friends understand HIPAA when addressing concerns.
Make sure your program does not routinely write off co-pays as part of grievance resolution, because this can implicate the Anti-Kickback Statute.
In summary, a patient grievance and complaint process should address systemic issues with an emphasis on safety, quality, and preventing adverse events. As a compliance professional, you want to understand how data from the grievances and complaints is analyzed in order to assure your facility is providing patients with quality care.
GZ: Technology is being embraced more than ever as a tool for enhancing compliance, through improved controls, technology-assisted monitoring, etc., while also posing new risks. How have developments in technology changed how you carry out your duties as a privacy officer?
SL: Our healthcare system is cognizant of the growth of technology—technology to directly benefit the patient and technology to assist compliance and privacy in performing their duties. The current corporate director of Internal Audit & Compliance has done a phenomenal job, with C-suite and board support, of developing a robust drug diversion program. He is leveraging software to assist in auditing for potential drug diversion as part of the program.
In June I will begin training on a new patient privacy intelligence technology to assist in combating serious privacy incidents. I am excited about the new auditing and monitoring tool. I want our patients to know we are working diligently to protect their health information. If a patient’s protected health information (PHI) is compromised or accessed outside the scope of normal business practice, we want to use the tool to sanction the individual who compromised the PHI and notify the patient and the OCR of the breach. We currently have an auditing and monitoring tool in place, but we are upgrading to a much more robust program. We are transparent about tools with both our workforce through the onboarding process and providers who also have an onboarding process that includes both compliance and HIPAA training. Although both of these software tools are enhancing our programs, neither is a substitute for ongoing education. A significant amount of time is spent providing in-person education to our workforce. We have system-wide HIPAA training, and targeted HIPAA training based upon a department’s function.
I attend a Security & Technology Committee meeting monthly. Departments report on new software implementation and upgrades, and we become involved in potential privacy issues before they occur through this committee. Changes in technology have reinforced that we cannot operate in silos. A privacy officer and security officer must know where all the PHI rests within their organization. To function effectively and address technology issues from a HIPAA perspective, it gets back to building relationships. Just yesterday a physician contacted me to self-report a HIPAA violation. We worked through his concern and determined HIPAA had not been violated, but I was most proud of the fact that he felt he could call me. Challenges will always change in an organization, but relationship building can address any challenge through improved communication.
GZ: Any regrets or things you miss after leaving the world of internal audit to dive into compliance and privacy?
SL: I have no regrets with my decision to leave internal audit or the decision to stay within the same organization. I have managed to challenge myself through the years while also gaining knowledge in many areas of healthcare. I feel fortunate to have had the unique career that I have had, even though it was not planned out in advance. At the HCCA Compliance Institute, I purchased Roy Snell’s book, The Accidental Compliance Professional. I am an accidental internal auditor and an accidental compliance professional, and both careers have been great. I suppose all accidents are not so bad.
GZ: Sheila, thank you very much for sharing your experiences with our readers.