Compliance needs a shrewd strategic plan

Complying with a long list of healthcare-related laws and regulations remains a major challenge for provider organizations around the country. But a growing number of hospitals and practices are now viewing these pain points from a different perspective. Instead of looking at them as routine operational responsibilities, they are incorporating compliance into a carefully crafted strategic plan, one that not only reduces the risk of large penalties but may even provide revenue opportunities.

A recent report sponsored by the Association of Healthcare Internal Auditors and the consulting firm Protiviti ranked the top compliance priorities and compared them to priorities in 2012.  This year, respondents, which included 88 U.S. healthcare providers, listed health information exchanges (HIEs) as the area that needed the most improvement, followed by value-based purchasing. ICD-10 implementation and payment bundling were tied for third place. In fourth place were accountable care organizations, clinical documentation, ICD-impact and readiness, pay-for-performance quality standards (CMS core measures and HCAHPS), and state-specific privacy/security laws. By contrast, in 2012, survey respondents listed meaningful use and HIEs as two key areas requiring the most improvement.

[See also: Employers unaware of ACA compliance cost on group health benefits]

Alex Robison, Protiviti’s managing director, would add to that list meaningful use and HIPAA. “Organizations need to evaluate significant areas of risk from a HIPAA security standpoint,” he said, identifying where the vulnerabilities are, what systems are integrating with the electronic health system and how often is a risk analysis being performed.

And HITECH regulations and the Federal Information Security Management Act (FISMA) cannot be overlooked, said Mac McMillan, CEO at CynergisTek, Inc., an IT security consulting firm.

“A lot of our healthcare organizations are engaging in ACOs, or they’re part of a HIE,” he said, and as a result of many of these relationships, they are signing data use agreements with the Centers for Medicare & Medicaid Services, which raises the bar in terms of the level of security that healthcare organizations have to maintain.

With so many compliance issues to manage, it’s smart for healthcare companies to make their compliance programs part of the strategic plan.

“It actually makes the organization more profitable,” said Sean Weiss, chief compliance officer and vice president at DoctorsManagement, a practice management firm. Conducting compliance audits as part of that strategic plan, for example, “doesn’t just identify risks, it helps identify revenue gaps.”

The board of directors and c-suite executives are responsible for making strategic decisions, so the pressure is on them to create a strong compliance program, noted George Siedel, JD, a professor of business administration and business law at the University of Michigan.

To create a strong compliance program, he said, it is imperative that c-suite executives understand the federal sentencing guidelines because those drive the compliance effort for all businesses. “Those guidelines essentially say that if your organization is found in violation of the law but has a strong compliance program in place, the penalties incurred will be significantly reduced.”

A strong compliance program, he said, requires executives to establish strong standards; communicate those standards to all levels of the organization; and enforce those standards.