Kathleen J. DiGregorio (kathleen.digregorio@guidehouse.com) is Compliance Analyst at Guidehouse Managed Services – Healthcare Segment in Gardena, CA.
You are a compliance professional on the day a fine has been imposed on your organization for a serious Health Insurance Portability and Accountability Act (HIPAA) violation. Credit monitoring services have been made available to the patients whose protected health information (PHI) data were disclosed. Senior leadership and account executives have contacted clients to relay the details before they read it online while the legal department is preparing an online media statement. This is a rare event, yet you have to be prepared for the post-recovery period within the organization. A more familiar event is you, as the same compliance professional, have a meeting with the human capital department to talk with a valued, tenured team member about another avoidable and careless mistake reported first to the client by a Centers for Medicare & Medicaid Services (CMS) employee. Because this is the third HIPAA incident in six weeks by the same team member, the repeated incidents have called into question your organization’s ability to process this new client’s claims error-free and in accord with their standard of work. To remain consistent with organizational disciplinary guidelines, you issue a final written warning, and this team member will likely take the news very hard because they won’t be eligible for the long-hoped-for promotion to team lead or a merit increase for six months.
Both events present opportunities for compliance to move into action mode by assisting your organization after HIPAA mishaps of varying degrees while partnering with human capital and leadership to invest in empathy and understanding to create a positive shift while team members continue to work in an emotionally sensitive atmosphere.
The root cause
Recently, the compliance officer for our organization and I were talking about an article[1] that stated that in a CMS oversight audit, more than 80% of the hospitals had processed Medicare claims incorrectly and would receive lowered reimbursement rates in 2021. She stated that if the majority of organizations are getting it wrong, there is something fundamentally wrong in the CMS instructions, guidance, and availability to answer questions mid-stream to avoid punitive reimbursement reduction during this critical period in hospitals’ financial futures. So, let’s apply this to the HIPAA mishaps at your organization.
It is that straightforward and simple: If team members are making the same mistake, something has gone wrong. Compliance needs to break down the steps on any procedure that is the source of multiple HIPAA incidents and use Lean Six Sigma,[2] the five whys,[3] or another diagnostic process to gain a full understanding of a process flow. Don’t wait until more incidents rack up and clients begin to question your organization’s ability to function seamlessly on their behalf. Within this analysis, check in with employees assigned to the project. Team members might report there are no desktop procedures, or that verbal instructions have been issued to do unauthorized workarounds, or that they continue to work through rest and meal breaks to get the job done at any cost. Ask practical questions. Can the fax unit be preprogrammed with frequently used numbers? Is there a particular time of year or day in the week when there is an uptick in incidents? Is there a similar uptick with remote workers versus in-office employees, or newly promoted supervisors versus seasoned team leads? Is further training needed with one-on-one coaching or from a prerecorded training session? Save the big-picture issues for an annual risk assessment and jump into the trenches on this one with a goal in mind to stop similar incidents from occurring.