The Essentials of Policy and Procedure Management
By Juliann Schaeffer
For The Record
Vol. 25 No. 10 P. 18
Judicious use of technology and regular education can help minimize compliance risks.
The Affordable Care Act. HIPAA. OSHA. If there’s one thing hospitals aren’t short of these days, it’s new rules. And for every fresh law or regulation that gets passed, new or updated policies follow, all of which must become familiar to staff members. Add in new technology adoption by way of EHRs or mobile health (mHealth), and you’ve got a sea of seemingly countless—and constantly changing—policies and procedures that overburdened employees must navigate daily.
“The number, type, and complexity of the requirements to provide quality care in a safe yet cost-efficient manner can be mind numbing,” says health care industry attorney Patrick J. Hurd, senior counsel on LeClairRyan’s health care industry team. “The constantly evolving provisions of the Affordable Care Act, the recently promulgated HIPAA Omnibus Rule, and other federal health care requirements impact every hospital department in some way. Add in applicable state laws and regulations, CMS [Centers for Medicare & Medicaid Services] Conditions of Participation, Joint Commission standards, and other accreditation requirements, along with a library full of compliance manuals and guidelines, and one can quickly see the need for a robust policy and procedure program.”
According to Meri Vangelas, senior consultant for advisory services at CTG Health Solutions, this evolving health care environment has changed the entire landscape of how policies and procedures are managed. “Think about it: Policies and procedures used to be written in a book and used for reference,” she says. “The influx of electronic information that directly impacts HIPAA has changed this into a living process where documentation and training are required on a regular basis.
“For example,” she continues, “when I worked at a major hospital in New York that converted from a paper chart to the EHR and updated their billing systems concurrently, not only was it a staff requirement to learn the procedures on how to manage an electronic chart and pay close attention to new HIPAA regulations through new log-in, authentication, and software procedures, but they also had to learn an entire process for processing charges at the point of care as opposed to billing at the end of the day on paper.”
Simply keeping up with every new law or regulation update is obstacle No. 1 for most health care organizations, but ensuring policies and procedures are effectively rolled out to employees can be just as complicated, if not more so.
“With the rapid pace of new and updated laws and regulations that providers must address, the task of ensuring that policies and procedures are up-to-date, available, and effective throughout the organization can be very difficult,” says Steve McGraw, president of SAI Global Compliance’s governance, risk, and compliance business, who notes that this can result in too many policies, many of which are ineffective because they’re either redundant or obsolete.
McGraw cites the example of a health care system that amassed more than 32,000 policies and procedures using manual tools such as spreadsheets, shared network folders, and e-mail. “Because of this volume,” he explains, “it was very difficult for employees to find relevant policies and determine if they were using the most current versions.”
In this storm of content, Hurd says hospitals must find a balance between ensuring employees know all the dos and don’ts and not bogging them down with harmful procedural overload. “From a content standpoint, it is vital to balance the prescriptive nature of policies and procedures to comply with applicable law and the need to assure comprehension so that health care staff modify their behavior to conform to such policies and procedures,” he says. “Too little detail creates confusion, while too much detail implies a ‘cookbook’ approach to health care and can harm individual professional judgment.
“Policies cannot remain static in today’s health care regulatory environment, yet revising them too frequently may actually increase noncompliance due to information overload,” he adds. “Procedures must also constantly evolve, but modifying them too often may cause errors among staff tasked with following the revised procedures, especially given the barriers to training and comprehension that such frequent fluctuations create.”
Overemphasize following the rules and patient care could take a backseat. However, taking the rules lightly “can result in adverse consequences to patient safety—even patient death,” Hurd says.
Technology to the Rescue
How can health care organizations strike a crucial balance to effectively educate employees in today’s changing climate? According to experts, one possible solution is to lean on the appropriate technology. “The best health care organizations will use both technology and education to manage their policies and procedures,” says Manny Jones, health care solution manager at LockPath, a provider of governance, risk, and compliance solutions. “It is imperative to hammer the importance of policies and procedures. Many organizations still use pen and paper to manage this process. Long term, this is unsustainable. Companies need a technology solution to streamline this process.”
Using technology to push out new polices can help organizations target certain departments or individuals when necessary, he adds.
Gone are the days when policies and procedures were available in a three-ring binder, a strategy that no longer meets the needs of today’s virtual environment, says Susan deCathelineau, MS, RHIA, vice president of global health care sales and services at Hyland Software. “Organizations need to provide the means for employees to access policies and procedures when and where they need them,” she says. “[They] need to find more creative ways to not only educate staff but also validate that employees have reviewed and understand policies and procedures. The rapid pace in which regulations change requires automated policy approval and dissemination as well as acknowledgment of employee access.”
Mary Poulson, MA, RHIT, CHC, CHPC, cochair of AHIMA’s Privacy and Security Practice Council and regional director of compliance and privacy for western regions at MEDNAX Services, agrees: “Utilization of a Web-based system for policies and procedures is an excellent method to reach staff that may be located in off site or outreach areas. As policies are updated, individual e-mails can be sent to staff notifying them of the changes and instructions on where to view the entire online policy.”
According to McGraw, automating policies and procedures did wonders for the system with 32,000-plus documents. “As the health care system made the transition to an automated policy management system, the total number of policies and procedures was cut by more than one-half by identifying and removing redundant and obsolete policies,” he says. “Through automation, they also gained version control that is used to review and revise policies on a timely basis. They also gained robust search capabilities, making it easy for employees to quickly find relevant policies and ensure that only current versions are in use.”
A Learned Approach
Vangelas says the manner in which hospitals educate employees on the finer points of policies and procedures is key to long-term compliance. Through various learning methods, such as the classroom, webinars, and eLearning, education must concentrate on not just what needs to be accomplished but why, she says. For example, a simple explanation to staff on the impetus behind new privacy protections can increase student acceptance.
According to Vangelas, work role-driven training is most effective when new laws or regulations emerge. “For example, when new HIPAA rules come into effect centered on managing the patient portal, training geared toward specific staff functions from the front desk to clinical staff is crucial,” she says.
On the other hand, e-mail can be more effective for simple updates. “For updates, I recommend e-mail that contains the link to the most recent copy of the policy or procedure,” Vangelas says. “I worked in one large hospital where the scan policy changed four times, and everyone had a different copy in their e-mail. Having a link to the most current policy would have addressed the issue very easily and ensured everyone was following the same indexing procedure.”
Vangelas says a blended approach, which utilizes traditional classroom training as well as eLearning and webinars for added flexibility, works best in a large-scale training rollout. It’s a strategy that has worked for her in the past. “The training was all mandatory and there were required competency exams, but compliance was high and, more importantly, the providers and the staff were happy with the flexibility,” she recalls.
Hurd believes in a robust employee orientation program with online training modules. “Each module should include a posttraining test and a minimum score to proceed to the next module,” he explains. “Allowing access to such online information 24/7 permits busy medical staff to access the training on their own time, of which they may have little.”
In addition, he recommends placing online the actual policies and procedures (supplemented by the laws and regulations, where applicable), with a clear table of contents, glossary, and keyword search, to allow easy access when necessary. “Fumbling around to determine what to do next is often costly and can be fatal,” he says.
Appropriate personnel also should ensure all policies and procedures are scheduled for regular reviews. “An early warning system should also be in place,” Hurd says. “The Joint Commission, CMS, and other key regulator/accreditation/compliance bodies issue notices of intended changes, proposed rules, compliance manual changes, and other foreshadowing tools. Staff must be alert to such developments and potential revisions built into the review schedule.”
How does HIM fit into the process? According to Hurd, because the department sits at the center of hospital information exchange, it serves as a vital cog in most policy and procedure activities. “Given the advent of electronic health records, policies and procedures can help shape templates, online protocols and checklists, and other aspects of the electronic interface staff operate within on a daily basis,” he says. “For example, gatekeeper controls can be established so that staff lacking the requisite training and education cannot access and/or implement a specific protocol without first completing the required training modules and passing the competency tests for the given matter. HIM plays a key role in that system design and implementation.”
Factor in the complexities that surround HIPAA rules and the harsh consequences of noncompliance, and Hurd says HIM also can help shape a hospital’s overall IT framework, not just the medical record. “Policies and procedures are components of the information exchange that must take place throughout the organization, and HIM serves as a vital hub for that exchange,” he notes.
Poulson agrees, noting that HIM always should have a seat at the table when HIPAA and mHealth policies and procedures are developed. “The knowledge and expertise of an HIM professional, supported by AHIMA, adds greatly to the process in any organization,” she says. “AHIMA and its members have developed many policies and procedures and practice briefs to assist its members. The HIM department interacts with all departments and adds value to any committee of an organization that is responsible for the development of policies and procedures.”
Ensuring Easy Access, Understanding
In addition to effectively rolling out new policies and procedures, hospitals also must ensure employees can access that information. “A policy is no good unless people are aware of it and follow it,” Jones explains. “One of the best ways hospitals can make sure their staff is aware of the dos and don’ts is to make sure there’s an easy way to access the new policies and procedures.”
Jones says most hospitals schedule yearly training, with employees signing a document after a long day of seminars affirming that they understand everything they’ve just learned. He suggests it would be wise to follow the training with an awareness campaign and an assessment to measure employees’ level of understanding. “If they are having a hard time answering the assessment, they now have an easy way to go and learn about the policy and/or procedures,” Jones says. “Teaching employees where to find policies is critical.”
Vangelas recommends keeping all policies and procedures up-to-date and available in an online central location. “For example, it’s an excellent idea to have the policies and procedures located on the corporate intranet,” she says. “However, that must be reinforced with a link, mapped by IT as a favorite, signage in break room areas, and an e-mail communication advising the staff to save the e-mail.”
“Further, implementing a single sign-on feature removes barriers such as having to learn and remember a new set of credentials,” says Jones, noting that a cloud-based platform could serve as a good central location for all policy and procedure information. “Also, having alerts e-mailed to inform staff that there is a new policy and to access the information with a familiar but secure process will reduce the burden of manually managing compliance.”
Ensuring access is one thing, but measuring employee understanding is another. Technology can help. “Having a platform that has an audit trail will show you everyone who reads and understands the policies and procedures,” Jones says. “With an audit trail, you know who opened and accepted the policy and when.”
Jones says technology also can help determine employee comprehension. “To test employees’ understanding, you can send them an assessment based on the policies and procedures. These should be scored to track their understanding and areas that may need more education and identify areas of risk in employee compliance,” he says.
Test results can help with outside audits as well. “Records of completed training and demonstrated competencies serve as concrete evidence of compliance,” Hurd says. “Still, most auditors will ask hospital staff to demonstrate their knowledge at the time of an audit, so following policies and procedures must become a part of the hospital culture. Just because such policies and procedures exist in a notebook or on a computer desktop icon is not enough; staff must give them life each day.”
Well-educated employees should not be the only consideration when anticipating a potential audit. According to Poulson, ensuring an organization’s policy and procedure information is updated and accurate can be just as important. “Regulatory and accrediting organizations rely on an organization’s policies and procedures to paint a picture of their operations and practices,” she says. “Lack of updated and poorly worded policies and procedures may result in a request for more documents and even an additional on-site visit, which could put the organization at risk for increased deficiencies and penalties.”
Overall, Jones says, “When your staff is following policies and procedures, there are fewer chances for the auditor to find mistakes or wrongdoings, so storing policies and procedures in a place that staff can easily find is very important,” adding that the onus still is on hospitals to make policies and procedures a top priority.
“Organizations must make it a priority for employees to understand policies and procedures,” he says, stressing that reviews simply are not enough.
— Juliann Schaeffer is a freelance writer and editor based in Allentown, Pennsylvania.