Cover Story: Your Compliance is Assured

Cover Story: Your Compliance is Assured

Medical Dealer Magazine | Cover | Your Compliance is Assured
When people think about the subject of compliance, it’s hard not to conjure up the lasting image from the boardroom scene in the 1987 movie, “roboCop.”

In it, the slick corporate masters of a police robot that is intended to replace human law enforcement officers are showing off how powerful and uncompromising the new machine, dubbed ED-209, is at stopping crime.

But instead of inspiring confidence, the scene goes horribly wrong when the unit, which has trained its weapons on a man brandishing a gun for demonstration purposes, ignores his compliance with the request to stow his weapon and blasts the “suspect” to pieces anyway.

For healthcare organizations staring down the barrel of a federal enforcement mechanism that’s the policymaking equivalent of an ED-209, it can be hard to not think of things in such terms.

But when considering the needs of a healthcare system to establish and maintain fidelity to a strict set of reporting and self-auditing measures for the sake of federal reimbursement, compliance is at the very least a thorny thicket in which it’s easy to get lost.

Changing Behaviors

Medical Dealer Magazine | Cover | Your Compliance is AssuredThe biggest challenge for any compliance program in a healthcare setting extends beyond questions of patient care and into the realm of personal habits, says Peter Martini, the Chief Strategy Officer of web security compliance vendor iBoss, of San Diego, Calif.

Essentially, he says, it boils down to the question, “How do we deal with the consumerization of IT?”

iBoss consults with a number of clients in the healthcare sphere, Martini said, and his company has discovered that consumer culture has never been more pervasive in the workplace than at present.

Technology is so ubiquitous that policymakers are no longer necessarily looking to prohibit access to applications and the personal electronic devices on which they’re run, but to find ways to integrate their use with workplace activities.

“Instead of slapping users on the wrists, we found it much more effective to augment their behavior,” Martini said. “Instead of going to a blocked page, it will actually redirect you.”

Martini talks about how healthcare professionals who might use free versions of cloud storage applications like Dropbox or conference calling software like WebEx on their personal devices are expecting to be able to have access to those technologies at work as it supports their ability to practice medicine.

“We have a policy first and foremost that helps users adopt the existing services,” Martini said. “Try and identify any technologies they are using, [and] let them make a clear understanding of why, if they are going to use it, to utilize a centralized account.

“From an organizational standpoint, we have to provide them with an alternative,” he said, which leads network administrators to not just block access to a web-based program, but to provide alternative language that leads like, “It looks like you’re looking for a personal Box account; [did you know] we have our own corporate account?”

“Once you realize it’s a corporate account, it is about education,” Martini said. “With the click of a mouse, you can create policies that access the technology remotely. It’s more about monitoring the technologies remotely and reminding them that it’s not ‘yes’ or ‘no,’ it’s what you do when you’re on there.”

Many of these applications are not only useful from a productivity standpoint, Martini says, but they are either free or low-cost at the enterprise-class level, which means that integrating them into an overall network policy can help support staff without a significant impact to the bottom line.

“The staff and the doctors and the physicians, they all need the technology to make their lives easier,” Martini said. “[But] how do I adopt security for devices that really aren’t designed for the enterprise space?”

At the root of managing those considerations, he says, is creating a plan founded upon a centralized auditing system with efficient strategies for managing user passwords and credentials. Multi-site organizations should start by building patient access into their networks with “a clear and concise policy for security,” Martini said.

For sites that implement a BYOD (bring your own device) policy for doctors and staff instead of rolling out a company-owned and managed network of iPhones or similar devices, administrators need to create a gateway security system that ensures compliance, Martini said.

“Once you can control the gateway — the Internet — that really is certainly the core of what you can create in your security policy,” he said.

Medical Dealer Magazine | Cover | Your Compliance is Assured

“The problem now is that it’s sort of the Wild West; they don’t know who’s who anymore,” Martini said. “One thing people forget is that a consolidated policy, or auditing mechanism, isn’t integrated in the device. Make sure you have a rollout where you can identify every user on the network.

“You have to have some sort of filter that will ensure compliance, so that if they go on a browser, go on the web, it’s filtered,” he added. “If they’re managing multiple remote sites, you can have a cloud system where they manage these remote sites from a centralized panel.

“When you search for a report on a user, it’ll be able to tell you about that user as they jump around to different sites or the history of a user from a different site,” Martini said. “Identify if there is any personal information stored; if it’s lost, how am I going to deal with that? Understand what you’re implementing and rolling out.”

Managers not only have to secure every user that accesses the system, but also identify him or her as well via centralized compliance reports. Guests will be subject to certain policies versus those pertaining to staff, he said; even different members of the staff “may have a little more flexible access so they can access social media versus somebody at the front desk.”

“On a personal device you don’t have that freedom,” Martini said. “We see organizations install a mobile device management type of product, and it installs on your device, and gives an administrator mobile cloudbased access — turn off your camera in certain areas of the building, create a secure shared folder.

“These things are lost on a personal device,” he said. “You’re limited to what happens when you open a browser. It becomes a tool for monitoring overall activity.”

In such a distributed hierarchy, Martini says, it’s important for organizations to consider different scenarios of potential violations to prevent patient information from being released inadvertently. The most important part of such an arrangement, is that it provides a paper trail for administrators to show that they’re performing their due diligence; that the system at least has procedures in place that provide evidence of structure.

“You definitely want to have a reporting hierarchy,” he said. “Access to any new technology should be identified and reported for personal use.”
A foundation of risk management

According to Bethany Hills, MPH, the foundation of any compliance program is risk management. Hills is an attorney with Epstein Becker & Green, P.C, of New York, N.Y., and says the laws in that state have helped lay a foundation for national policy.

Medical Dealer Magazine | Cover | Your Compliance is AssuredSince 2009, any health system in New York billing or receiving at least $500,000 in Medicaid has been mandated to establish a compliance program, Hills said, making organizations in that state de facto countrywide leaders in following a federal compliance blueprint.

That doesn’t necessarily mean that New York-based healthcare systems are specifically better at managing risk, or that they’re even more risk-aware than clients in other areas, she said. In fact, risk management is “some of the most complicated things to ask a client to do,” Hills said.

“They aren’t exactly sure where to look for the risk or what constitutes risk; how you define it,” she said. “So often there’s a very strong interrelationship between risk management on the financial side and risk management on the quality assurance side; a patient safety, injury, and adverse-events approach.

“Then there’s the legal and the client risk,” Hills said. “Sometimes there are risks that may not have much of a financial impact, may not impact patient safety, but may violate the law. That’s where I see putting together a team to do a risk assessment.”

A healthcare provider may understand that they have to create a compliance program, she said, but they may not know much about how multiple factors — like billing and quality assurance, for example — also have their own components of risk, and should be unified within a distinct set of policies.

“I usually am working with our clients to take a step back and say, ‘OK, what do you have for policies and procedures across the board? What do you consider from a broad range of compliance aspects?’ And then you can figure out how much of a risk you have in certain security areas,” Hills said.

“Every time they turn around, [there’s] a new mandatory compliance program,” she said. “So you have a variety of different competing legal requirements.”

And there’s more on the horizon, she said. Under the Affordable Care Act, every provider that bills Medicare and Medicaid soon will be subject to a national mandatory compliance program requirement — just as those in New York have been for four years.

“The number one rule that I always end up repeating to the clients is, ‘Yes you have all the required features, but the bottom line is, have you done a risk assessment?’ ” Hills said. “Are you constantly reviewing your practices to identify problems? That’s the focus on whether a compliance program is actually working.”

The other component of a federally enforced compliance program is its mandatory requirement that when a health system finds any issue with its Medicaid or Medicare billing, repayments are mandatory. The system makes healthcare providers take over the government auditing role, Hills said, and assume the responsibility for managing those issues themselves.

“When it’s functioning in the most ideal way, you would be evaluating your problems internally, then disclosing [them] and repaying the money,” she said.

“If everyone has a good compliance program, the goal is that it should eventually reduce the number of audits you have. You should already, as a facility, be proactively identifying the problems and dealing with them without the government trying to find them six years later in an audit.”

But what providers can encounter, Hills said, is when those two functions begin working competitively against each other. If a health system has a rigorous and effective internal auditing practice that is double-checked by an aggressive government auditing practice, “then you have this vicious cycle of the government auditor having to look for more and more attenuated reasons to disallow claims or to look for problems,” she said.

"The provider in their own compliance program is actually finding the low-hanging fruit, so it makes it more challenging for the government to identify problems,” Hills said. “What we’ve found is this really aggressive auditing tactic: suddenly providers are thinking they’re doing the right thing, and then at the same time they’re getting really aggressive audits from the government.”

Another offshoot of the hyper-focus on compliance at the federal level, Hills said, is “the explosion of a whole new profession”; that of the compliance officer — usually someone with a quality assurance or risk management background who is tasked with making sure that the program is functioning.

“Then, when the government shows up, it becomes really frustrating for the compliance officers to spend their entire day looking for problems,” she said. “You should be able to decrease the amount that you’re paying back on government audits, but if the reaction is that the government is more aggressively auditing, then you’re not seeing the financial benefit of a compliance program.”

What Hills said she hopes will emerge as the natural evolution of this circumstance is a government auditing program that is less frequently employed but targets more specific and emergent issues.

“They should be able to back off on the actual core reimbursement audits, and instead, they should consider shifting their priorities more into looking at making sure that facilities have functional compliance programs,” Hills said.

“If a facility has a functional compliance program, know that those programs should be doing the prospective, proactive catching
of issues,” she said. “It’ll be interesting to see how they approach that at the federal level.”

Ultimately, Hills said, the purpose of improving a compliance program is to improve the standard of care delivered to patients nationwide. When those metrics become tied to financial performance the lines could be blurred.

“I think it’s frustrating for everyone to not see the direct link between an improved quality of care and a compliance program,” Hills said. “That’s why, even though it’s very rarely part of a government-required program that there be an evaluation, there are existing structures that review patient outcomes and the quality of care.

“You can identify patterns when you look at length of stay, how quickly patients are admitted and discharged,” she said. “You can look to see if there’s something that happens during that stay that could have been handled better.”

Medical Dealer Magazine | Cover | Your Compliance is Assured