The 2021 Compliance Benchmark Survey of Compliance Offices conducted by Strategic Management Services and SAI Global found that the top compliance issues have remained essentially the same over the last three years, changing only slightly in the order of priority. The following are reminders of the compliance issues that remain at the top of the list for 2022.
- The 2021 Survey found (a) over three-quarters of compliance officers are now responsible for HIPAA Privacy; (b) 58% of respondents identified HIPAA Security and Privacy as a top high priority; and (c) nearly two-thirds reporting having HIPAA Privacy breaches, disclosures and/or Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforcement actions in the previous three years. It is important to have a thorough understanding of, and pay attention to, HIPAA Program requirements including developing and implementing HIPAA policies to address the various regulatory requirements. All employees should complete annual HIPAA compliance training. Effective ongoing monitoring and auditing programs are also essential.
- Cybersecurity, Malware, and Ransomware. In 2021, the FBI continued issuing cybersecurity warnings as the number of security breaches in the healthcare sector reached new highs with the number of cases reported increasing by about 70% and reported losses exceeding $4 billion over the previous year. Healthcare organizations were found to have been particularly vulnerable, especially during the COVID-19 pandemic, with numerous cases of disrupted operations at health care facilities across the country. The FBI suggested engaging in a proactive strategy by searching for signs of threat activity to prevent attacks before they occur or to minimize damage in the event of a successful attack. The FBI also offered many suggestions on how to implement these strategies, including: (a) providing individuals with access to their PHI, tracking investigations and corrective actions to completion; (b) reviewing and updating HIPAA compliance policies and internal controls; and (c) reducing inappropriate and inadvertent disclosures of PHI by workforce members with improved internal controls and training.
- Arrangements with Referral Sources. Nearly half of respondents in the 2021 Survey reported this as one of their top three compliance priorities. This area remains the number one enforcement area for both the Department of Justice (DOJ) and the HHS Office of Inspector General (OIG). Addressing this risk area begins with (a) assessing how medical need was determined for engaging part-time medical services, (b) defining the process for selecting the individual(s) to perform the services, (c) identifying the terms of the agreements, and (d) developing a process for verifying performance before payments are made. Consideration should also be given to the OIG recommendation to establish an Arrangements Database.
- Chargemaster Accuracy. This was the next highest compliance priority reported by compliance officers moving forward from 2021, although this issue area was limited to the type of organization. The challenge is to ensure the accuracy and timeliness of charges as they are recorded within each department and to ensure ongoing monitoring of the charge entry process. Accuracy and timeliness of charging have a significant impact on organizational gross revenue, accurate and automated billing, timely payment, accurate budget reports, and correctly stated productivity.
- Claims Processing Accuracy. Over one-third of survey respondents report this as one of their top three compliance priorities. Claims development and submission was also highlighted by the OIG in its compliance guidance for various health care entities as a primary compliance high-risk area. The OIG pointed out that this was one area where compliance program effectiveness can be evidenced and benchmarked. Government oversight agencies and their contractors frequently make huge monetary demands as a result of identifying patterns of errors in claims submission, which can be considered false claims. Both the DOJ and OIG list false claims cases as their number two enforcement priority after arrangements with referral sources. It is therefore important that the responsible program managers be actively engaged in ongoing compliance monitoring of this risk. Program managers are the most knowledgeable about their operations and should: (a) keep track of changes in payment rules and regulations; (b) translate those changes into written guidance (policies, procedures) that act as internal controls; (c) train their staff on following the written guidance; and (d) monitor to ensure they are properly following that guidance. Ongoing auditing should verify program managers are completing these steps.
- Conflicts of Interest (COI). One out of four respondents reported this as one of the top three compliance priority areas. The OIG addressed COI in its compliance guidance documents, and DOJ in its “Evaluation of Compliance Program Effectiveness Guidelines” lists many questions on this topic. COI applies to a wide range of behaviors whenever employees make decisions in which they may have a personal interest (whether actual, potential, or perceived) that conflicts with the interests of their employer or a business partner. Compliance officers should ensure that those in a position to make decisions are free from COI and that there are mandates for them to disclose any conflicts. The use of a detailed questionnaire for individuals to identify and explain business relationships is advisable. It is also important to determine how the COI information will be collected, reviewed, and followed up.
- Executive and Board Level Conduct. One-quarter of respondents also ranked this as one of the top three compliance priorities. It was not clear what the issues were, but the ranking suggests that the behavior of individuals at this level continues to be a concern. Addressing this is very important as both the DOJ and OIG placed a high priority on having active support of leadership in promoting compliance. Of note, in an October 28, 2021, speech to the American Bar Association, the Deputy Attorney General stressed “[a] corporate culture that fails to hold individuals accountable or fails to invest in compliance will lead to bad results.” The message was a clear warning to organizations that board members and executives could be held individually liable for compliance failures.
- Evidencing Compliance Program Effectiveness. Elsewhere in the survey, respondents identified this as their number one priority for improving the compliance program. Important in accomplishing this is having a baseline against which progress can be measured. A solid baseline is best when done by an independent compliance program effectiveness evaluation, as suggested by both the OIG and DOJ, and/or an independent compliance knowledge or culture survey of employees, with results compared against a large database of others using the same survey tool.
For more information on this blog topic, contact Richard Kusserow (firstname.lastname@example.org)