The Challenges of Corporate Compliance
By Kelly M. Ellis, RHIT, CCS-P
For The Record
Vol. 26 No. 4 P. 7
In health care, corporate responsibility and compliance seem to go hand in hand. Organizations boasting the former typically are ahead of the game when it comes to the latter. Corporate responsibility sets the tone for the work environment, mostly because its reach extends across an organization.
In their role, corporate responsibility officers must wear many hats. As a result, a well-run organization employs a corporate compliance officer who can dabble in many arenas. Corporate responsibility touches every department in some way, making it imperative that the person in charge boasts a diverse skill set.
Richard Schuster, JD, PhD, an assistant privacy officer at Catholic Health Partners who became the organization’s first corporate responsibility officer 15 years ago, says his role requires a series of attributes, including “having a willingness to learn, being flexible, and knowing that becoming a good responsibility officer does not happen overnight.”
It’s a position that is often difficult to fill, Schuster notes. “There is no real formal education that can prepare you for this position,” he says. “It is a position that takes a time commitment on both the organization and the person’s part to be willing to learn all that is needed to know.”
The regulatory whirlwind enveloping today’s health care environment adds spice to the challenges, he notes: “Every day is different. With the advancement in health care comes new laws that we need to be aware of to protect the privacy of our employees and our patients.”
A corporate responsibility officer must be aware of all new legal and regulatory initiatives and how they apply to the organization. This includes being familiar with not only the latest mandates from The Joint Commission, long term care, and ambulatory care center accrediting bodies but also staying abreast of newly created regulations. Officers also serve as key hospital board advisors, offering guidance on emerging risk areas, compliance risk assessments, and investigations.
An organization’s responsibility program must meet or exceed the requirements of an effective program as defined in the federal sentencing guidelines and the Office of Inspector General program guidelines. In addition, it must align with the organization’s mission and goals.
Letter and Spirit of the Law
Some laws, such as HIPAA, require employees to embrace the law’s spirit and practice its principles every day at work. Constantly being aware of their surroundings and respecting patient privacy should be a top concern, from a nurse working on the floor to an aide cleaning a room.
The new Omnibus Rule adds another layer of complexity to and stricter enforcement of privacy regulations. The changes, which extend to business associates, feature new levels of negligence and significant penalties for violations.
To get a better grip on security issues, it’s important to provide employees with examples of what constitutes a breach and institute standards that grant only the minimum amount of access to patient information for employees to perform their jobs. For example, organizations shouldn’t provide a cook in the hospital kitchen with the same access to patient data as they would a nurse.
Nevertheless, all employees should be made aware of HIPAA’s breadth and its potential impact on an organization’s reputation and patient care. To this end, provide incident examples in various categories, such as accidental or inadvertent violations, failure to follow privacy and security policies and procedures, deliberate violations without intent to harm, and willful or malicious violations with intent to harm.
Some laws don’t have gray areas. For example, while health care organizations always have had a difficult time getting a handle on exactly what constitutes a true HIPAA breach, the Stark law has been straightforward, making it imperative that all staff members are on the same page. As many organizations acquire physician practices, long term care facilities, and other health care entities, it’s important to understand the financial implications of self-referrals. Knowing what constitutes a referral or a financial relationship can make or break Stark law compliance and, without any gray areas, there are huge implications for violators.
Organizations that self-refer within their group without offering patients the option to seek these services elsewhere face serious trouble. The same holds true for referrals to family-owned business partners. For example, it’s considered a violation if a physician refers a patient to an ambulatory surgery center where he or she is part owner without giving the patient a choice to go elsewhere. Another example of a violation is a physician who refers a patient to a facility owned by a family member for services such as durable medical equipment, therapy, or lab work without providing an alternative.
HIM and Compliance
For HIM professionals in search of a unique career path, corporate compliance is a viable destination, and several roads lead in this direction.
Interested candidates may want to work their way up to a director position, serve as the HIM department’s privacy officer, or become a coding auditor supervisor. Positions such as these grant HIM professionals the opportunity to advance their knowledge of the regulations within The Joint Commission, the Centers for Medicare & Medicaid Services, and other governing bodies. Valuable on-the-job training encompasses researching and creating measurable goals that aren’t necessarily in line with the hospital’s mission but rather with that of external bodies that track quality metrics for the organization.
Schuster suggests filling corporate compliance positions with candidates sporting extensive knowledge of the legal and medical fields who understand how to apply them in a regulatory environment.
To further bolster their candidacy, HIM professionals interested in entering the compliance world should seriously consider becoming certified. AHIMA offers the certified in health care privacy and security credential, signifying the professional has been trained to implement and maintain a comprehensive privacy and security program. Other organizations offering certification include the Health Care Compliance Association (certified in health care compliance) and the International Association of Privacy Professionals (certified information privacy professional).
Move With the Times
Health care compliance and corporate responsibility are constantly evolving. It takes diligence to stay abreast of current laws and educate staff on all revisions. To determine performance, organizations can track measurable items yearly to compare themselves with previous years and external organizations both locally and nationally. From there, a plan of action can be developed to shore up any deficiencies.
— Kelly M. Ellis, RHIT, CCS-P, is a senior consultant with Care Communications and a board member for the Ohio Health Information Management Association.