Compliance Offices Are Assuming Additional Responsibilities
Most have taken on responsibilities for HIPAA Privacy and Internal Audit
For many organizations, the Compliance Officer is a convenient party to take on additional duties as organizations tighten their budgets. This is a trend observed in the health care sector and conveyed by respondents in the soon to be released national healthcare “2019 Compliance Benchmark Survey” (Survey) conducted by Strategic Management and SAI Global. (Results from 2018 are available here.) In many cases, this assumption of duties is not accompanied with additional resources, placing a strain on the compliance office. Three quarters of Survey respondents reported that their Compliance Officer had assumed responsibility for HIPAA Privacy, and nearly one third had assumed responsibility for HIPAA Security. Nearly half of the respondents reported that Internal Audit was part of their compliance office, and over one third reported that risk management was a compliance office responsibility. About thirty percent of Survey respondents reported assumption of duties regarding other varied activities, such as revenue integrity, credentialing, and clinical oversight. Seventeen percent reported having their Compliance Officer assume the function of legal counsel. Organizations should take care when imposing new duties on their compliance officers that go beyond the traditional compliance duties, especially where there is a risk of undermining the compliance program. For example, one duty that should not be part of compliance is risk management. This clearly goes beyond the boundaries of corporate compliance and, in many cases, involves clinical issues outside the expertise of the compliance office. Additionally, both the Department of Justice and the Department of Health and Human Services Office of Inspector General have made it clear that Compliance Officers should not be subordinate to or responsible for the legal counsel function of an organization.
