A compliance program is a crucial part of any organization that adheres to laws, regulations, and policies involved in its activities. A compliance department or officer has the duty to guarantee that the company follows all the necessary rules set by governmental facilities. Proper management of involved risks reduces the operational costs of the organization by preventing avoidable legal fines (NEJM Catalyst, 2018). Bose (2016) states that “federal departments are stepping up their plans for compliance audits, and the fines and penalties associated with violations continue to increase.” The compliance system grows more sophisticated every year, and there are many organizations that provide services in consulting and accreditation assistance.
The setting for this case study is a hospital, which is an investor-owned or a non-profit organization that provides a common public good as a service. Therefore, it is a vital part of a healthcare system and one of the most regulated fields of human activity. A hospital is a health care facility with the purpose of creating a convenient and efficient point of access to various health-related services. In past years, the healthcare system has seen many changes that were aimed at improving the quality of service. Holt (2019) argues that “The complexity of the US healthcare system and recent initiatives to promote the quality and efficiency of healthcare through technology has presented new opportunities and problems” (p. 1). In the United States, the exact requirements that all health care facilities must follow, not counting regional laws and regulations, are described in The Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The structure of a hospital depends on its purpose, whether it is a general or specialized facility. A regular hospital has a board of directors, administration, and separate departments for clinical services, nursing services, financial and support services, which includes the risk management and compliance department. This department’s role is to protect an organization, its employees, and customers from legal issues and promote adherence to ethical standards, as well as to detect and prevent unethical conduct.
The role of a compliance department is a complex set of monitoring, analysis, and development functions. In a hospital, this department uses data collecting methods to check whether or not the health care institution adheres to all necessary standards. Then it attempts to find a pattern that could potentially reduce the number of similar adverse encounters by applying risk assessment and analysis methods to the collected data. The last function of a compliance department is to develop a guide for an organization that will reduce or prevent further incidents.
Compliance Risks
The HIPAA provides a risk assessment tool and guidance to help companies to follow the mandatory requirements and avoid the most often encountered compliance risks. Failure to conduct the HIPAA assessment ensures severe fines and other penalties, depending on the exact type of misconduct. More than half of all hospitals in the United States are private-owned organizations (Holt, 2019). There are several types of compliance risks that hospitals are regularly exposed to. They include false claims acts, antitrust, tax felonies, and other fraudulent activities described in the Health Insurance Portability and Accountability Act. Moreover, an additional expansion under the name of the Health Information Technology for Economic and Clinical Health Act (HITECH) was added to the HIPAA in 2008 in order to cover the mass integration of informational technologies.
To avoid potential fraud attempts within the organization, a hospital needs to define its risk areas, closely monitor them, and work on their reduction. It could be achieved through staff training, implementation of new policies, regular employee assessments, and proper organizational culture. The standards of certification by many accreditation organizations aim to help health care facilities with this issue by giving access to a wide variety of tools and knowledge bases.
The issue with fraudulent activities related to health care might seem unlikely for smaller health care facilities, however, this is a misleading approach. There are several barriers in place that prevent businesses that provide health care services to adhere to all laws and regulations due to the high costs of setting up, for example, an electronic health record system (Holt, 2019). However, small businesses must understand the risks of their indecisiveness, as any legal action against them has the potential to bankrupt the organization.
The oldest act that often applies to healthcare is the False Claims Act of 1863. In healthcare, it refers to cases when a person knowingly makes or uses a false or fraudulent material to gain personal benefit (Moseley III, 2013). Penalties for a false claim range from financial fines to jail time. If a hospital operates under an inadequate compliance program, it has a higher chance of being accused of an inability to detect and prevent fraud.
Another risk involved in the healthcare business that is associated with insufficient compliance management is the lack of adherence to antitrust laws. Kumar (2019) argues that “competition in this vast market ultimately will benefit consumers by containing costs, improving quality and encouraging innovation.” Due to the recent emergence of collaboration, merging, and mass acquisition of health care facilities, Kumar (2019) states that “New antitrust bills or amendments are likely to be introduced.” One of the main benefits of enforcing compliance with HIPAA rules is lowered insurance costs, which take a significant negative hit from this issue.
The third common fraudulent activity in healthcare is tax fraud, which consists of misuse of medical information. In this case, medical insurance of another person is used to pay for treatment, medications, and other expenses. The risks of tax frauds are exceptionally high nowadays due to tax-exempt status granted by the government to a large group of citizens, which raises the need for tax compliance as a separate program (Moseley III, 2013). With the electronic records systems currently in place, hospitals and other health care facilities are able to recognize such attempts before severe damage will be done to a person whose medical information has been illegally used. It is crucial for a hospital, especially if it is a non-profit facility, to set rules that will negate this type of fraud.
Compliance with the HIPAA and HITECH acts provides a variety of benefits to a health care organization. Regulatory costs for a hospital, even for a small one, should not be viewed as expenses, but rather than as money saved on potential payments for legal issues (Holt, 2019). Aside from money-saving effect, a well-developed compliance program is able to detect and prevent “near misses” in medical practice, and the hospital can learn from that experience and find a new room for improvement. Bose (2016) states that “a compliance program can also help retain quality employees and prevent criminal activity.” Moreover, hospitals that comply with the regulation acts achieve higher patient satisfaction percentages as compliance guarantees better patient safety (NEJM Catalyst, 2018). In conclusion, a compliance department is a necessity for a hospital that aims to provide the best possible services. It does not only allow a hospital to avoid being hit by sanctions but also establishes credibility that is needed to achieve the maximum amount of positive patient outcomes.
The HITECH itself should not be viewed as an additional strain on a budget of the organization. Holt (2019) states that “as of 2016, over 95 percent of all eligible and Critical Access hospitals have demonstrated meaningful use of certified health IT” (p. 4). The current mandatory systems, such as EHR, are not only safe and secure but also functional and extensive in their potential use.
Exposure of Compliance Risks
Staying HIPAA-compliant is a mandatory requirement for health care facilities in the United States. While exposure to the risks involved in healthcare services providing is unavoidable, organizations can prevent severe consequences by putting an additional effort in compliance. Organizations that are prepared to deal with the risks they encounter are the most successful in their industry. According to Vanderpool (2019), five key actions to stay HIPAA-compliant are:
- Conducting a periodical assessment of risks via the HIPAA assessment tool.
- Teaching medical personnel how to comply with the HIPAA requirements, employees need to know how to react to the issue.
- Keeping all necessary documents related to business associates in order.
- Protecting personal health information of the hospital’s patients from unauthorized access.
- Reporting all potential confidentiality breaches and other issues covered by the HIPAA.
It is also essential to address the unique challenges caused to organizations that work with personal data by the widespread use of technology solutions and keep one’s IT systems secure in accordance with the HITECH.
A health care facility that wants to stay accredited needs to be flexible. There are many fields for improvement, and each organization decides what approach it takes to maintain its compliance. The work of the compliance department includes the assessment of risks and their prevention. One such way is to create a culture within an organization that promotes responsible behavior, willingness to uphold the required standards and communicate with others to resolve any issue. Bose (2016) states that “after the written policy is finalized and well-documented, a training program should be conducted in order to help employees understand their requirements and their role in preventing compliance violations.” The main improvement factors often include staff communication, changes in the prescription process, safer use of medications, and improvements in patient identification.
In order to expose the weak sides of organizational compliance management, there are several systems that aim to highlight potentially problematic parts of the organization. These systems include the incident reporting system and root cause analysis. Both methods aim to improve patient satisfaction and positive outcomes by developing safer and efficient management plans and policies. It is crucial for a health care organization to expose its risks by any means possible. Compliance programs should not be aimed at finding which involved party is guilty or punishing employees. Instead, a compliance program must define a strict protocol for an internal investigation and strive for future improvements. However, these systems take a different approach to the process of investigating the issues with compliance.
Root cause analysis is a method of identifying the cause of a problem and creating an adequate response. The goal of root cause analysis is to find out all the information about the incident and develop a solution, preferably permanent, repeatable, and easy to apply (Moseley III, 2013). A hospital needs to focus not only on solving a problem at hand but also on upgrading all of its parts in order to improve patient satisfaction.
The Critical Incident Reporting System (CIRS) is a set of rules that aims to increase patient safety by changing risk management rules to be more open for free reports. Petschnig and Haslinger-Baumann (2017) state that “core elements of a well-functioning CIRS are feedback, the involvement of the whole staff including top management commitment, and the integration of CIRS in both risk and quality management.” The system aims to raise the amount of data gathered about non-compliance incidents by removing or lessening the punishments for reporting misconduct and medical errors. The increased feedback can allow health care organizations to pinpoint the exact issue faster and more efficiently or uncover other underlying problems.
Organization Regulations and Accreditations
There are several organizations in the United States that control health care facilities’ compliance with HIPAA/HITECH, provide assistance with difficulties in compliance within the organization, and assist with gaining accredited status for an organization. Such well-known organizations as the American Association for Accreditation of Ambulatory Surgery Facilities, the National Sanitation Foundation, and the Joint Commission offer help to health care facilities. These organizations ensure that accredited institutions are compliant with state and country regulations and laws that apply to them within the United States and abroad. Since the safety of patients and staff is the primary mission of health care organizations, it is essential to take every available opportunity to reduce clinical errors and other adverse encounters that negatively affect patients’ hospital visits.
Accreditation by the American Association for Accreditation of Ambulatory Surgery Facilities (AAAASF) is aligned with their Patient Bill of Rights. The organization is actively involved in establishing communication between patients and health care facilities and ensures that patients’ needs are always a priority for accredited organizations (What can we do for you, n.d.). Organizations that are accredited by the AAAASF are expected to uphold the highest standards of care and be re-evaluated each year. The accreditation by this organization aims to nurture the behavior in medical personnel that will guarantee further compliance. The AAAASF also provides a tool to report organization compliance and uses these reports to upgrade its accreditation procedure and requirements.
The Joint Commission is one of the largest accreditation companies in the health care business. It prides itself on being the most trusted and widely recognized for its quality and efficiency. Its extensive accumulated knowledge base serves as a risk assessment and prediction tool for health care facilities that get accredited through it (Why the Joint Commission for hospital accreditation, n.d.). The organization guarantees improvement in all processes within an accredited hospital and provides constant updates of its guidebook on how to adhere to the Joint Commission standards with best available practices.
The National Sanitation Foundation is an international organization that works in the regulatory field. It serves independent certificates of quality control, which has worldwide recognition (NSF Certification, n.d.). The organization claims that its certification signifies that the accredited organization is compliant with all regulatory specifications (NSF Certification, n.d.). The main advantage of this accreditation company is its combined expertise in various fields of operation that revolve around global health, which allows it to streamline the process and ensure that certified companies are compliant with not only regional but global regulation policies.
Accreditation by these companies means not only that the accredited organization is compliant with regional laws and regulations that are applied in its sphere of operation. It is a signal that the compliance program of this facility is efficient and reliable. Bose (2016) concludes that “implementing a well-designed compliance program will ultimately save entities money, create a more productive working environment for employees who are impacted by compliance concerns, and result in better outcomes.” Therefore, when choosing which health care organization should be prioritized, a customer or a potential investor will choose the one with the least risk involved, which, in turn, means a prestigious accreditation is a benefit.
The Role of the Compliance Officer
It is crucial for a health care facility to designate the importance of compliance and risk management department in accordance with its size and statistics on legal claims. The Society of Corporate Compliance and Ethics and the Health Care Compliance Association (2018) state that “the relationship between the compliance and ethics officer and the board of directors is both essential and often underdeveloped” (p. 1). Moseley III (2013) argues that “the compliance officer should have direct access to the hospital CEO and its governing board” (p. 272). Various health care organizations have different views on the position of the risk assessment department and the importance of the compliance officer.
However, it is possible to trace higher responsibility and risk assessment with the quality of provided services. According to statistics by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association (2018), “privately held companies were most likely to have a compliance officer reporting to the board” (p. 2). Therefore, the need for accreditation as a tool for attracting potential investors makes an organization more likely to put a higher value on the position of the compliance officer.
The role itself requires an advanced set of analytical skills. It should be noted that the compliance officer can significantly benefit from having a degree in law alongside with any related medical degrees. The appointed employee must be able to investigate the core of any issue and to make crucial decisions to avoid its occurrence. Moreover, he/she needs to know the structure of the organization to be able to quickly address issues with the medical staff. The compliance officer should keep close contact with the human resources department. Therefore, this position often requires additional training and certification.
While the importance of this department has been established, it rarely communicates directly with a board of directors except for severe cases. The Society of Corporate Compliance and Ethics and the Health Care Compliance Association (2018) state that “Compliance is very much responsible for escalating serious allegations and investigations to the board” (p. 10). The current widely used place of the compliance officer within the structure of an organization satisfies the needs of most health care facilities.
References
Bose, N. (2016). An effective compliance program can lower costs, increase productivity & improve patient care. The Compliance & Ethics Blog. Web.
Holt, R. (2019). Healthcare compliance and barriers to the implementation of healthcare IT initiatives across the continuum of care. Journal of Health Care Finance. Web.
Kumar, P. D. (2019). Antitrust laws in health care: Evolving trends. The American Association for Physician Leadership. Web.
Moseley III, G. B. (2013). Managing Legal Compliance in the Health Care Industry. Jones & Bartlett Publishers.
NEJM Catalyst. (2018). What is risk management in healthcare? Web.
NSF Certification. (n.d.). The National Sanitation Foundation. Web.
Petschnig, W., & Haslinger-Baumann, E. (2017). Critical Incident Reporting System (CIRS): A fundamental component of risk management in health care systems to enhance patient safety. Safety in Health, 3(9). Web.
The Society of Corporate Compliance and Ethics & the Health Care Compliance Association. (2018). The relationship between the board of directors and the compliance and ethics officer. Web.
Vanderpool D. (2019). HIPAA COMPLIANCE: A Common Sense Approach. Innovations in clinical neuroscience, 16(1-2), 38–41. Web.
What can we do for you. (n.d.). The American Association for Accreditation of Ambulatory Surgery Facilities. Web.
Why the Joint Commission for hospital accreditation. (n.d.). The Joint Commission. Web.