Industry News

Tips and Tools for Co-Sourcing Compliance Program Functions.

Compliance Officers are facing mounting regulatory and internal demands, while equipped with inadequate resources to meet all of these challenges. It is also becoming increasingly common to include HIPAA Privacy in the portfolio of Compliance Officer responsibilities. Accordingly, there are ongoing efforts to both extend compliance program capabilities and remain sensitive to the state of limited available resources. A few compliance options exist in these regards. While many compliance officers prefer to “in-source” new staff to address the increasing compliance demands, most face internal staffing limitations. Some organizations opt to outsource their compliance functions to a temporary Interim Compliance Officer (ICO) when the previous officer leaves the organization. Smaller organizations may contract the compliance function responsibility to an individual or firm, by procuring a Designated Compliance Officer (DCO). Co-Sourcing is a “middle ground” third option between hiring additional staff and outsourcing. This third option may prove to be the best strategy available for compliance officers, if implemented correctly.

Compliance Officers are increasingly Co-Sourcing compliance functions on a limited, rather than full- time, basis. Co-sourcing uses limited vendor services and tools to address key elements in the entity’s compliance program; the third-party vendor is used to supplement limited staff resources. The key factor that separates Co-Sourcing from outsourcing is the preservation of control and direction under the entity’s compliance officer. The third-party individual or company will complete some of the compliance tasks on an ongoing basis. Some of the common Co-Sourcing tools and services include: hotline operation; compliance training programs; code and policy development and updating; audit guides for high-risk areas; sanction screening tools or processes; and compliance surveys.

The OIG recognizes Co-Sourcing as a useful solution for organizations with limited compliance expertise and resources. The Co-Sourcing compliance option can also allow the entity to access a range of compliance specialists without having to employ them full-time. Additionally, careful use of vendors to supplement the Compliance Office can save time, money and effort, while maintaining flexibility to end an arrangement at any time.

Common examples of Co-Sourced compliance services include:

  • Enterprise Risk Management Assessments;
  • Ongoing Monitoring/Auditing;
  • HIPAA Privacy/Security Rule Evaluations/Risk Analysis;
  • Physician Arrangements Reviews;
  • Conducting Internal Investigations (compliance and/or HIPAA);
  • Using a statistical Data Claims Expert to determine error rates;
  • Using on-call expert advisors and regulatory analysts;
  • Conducting “Mock Audits” and Claims Reviews;
  • Using Compliance Liaisons/Managers (outlying facilities);
  • Using Designated HIPAA Privacy/Security Officers; and
  • Internal Auditor Services.

Expert tips for Co-Sourcing compliance functions include the following:

  1. Clearly define the duties, tasks, responsibilities, and methodology for the compliance vendor to follow;
  2. Ensure the service agreement is flexible to allow adjustments to the levels of service as needed;
  3. Look for providers that have industry specific compliance expertise;
  4. Check the experience and seek references of the firm;
  5. Ensure the specific staffed individuals have the needed skills, experience, and expertise;
  6. Consider that smaller niche firms are more likely to provide better, less expensive services – bigger is not always better; and
  7. Seek discounts for bundling arrangements if the organization is planning to Co-Source for multiple tools and services.