Healthcare Company Ethics and Compliance Program Requirements: Policies, Procedures, and Best Practices
Each part of your healthcare compliance program needs to meet certain requirements which have been provided by the Office of Inspector General (OIG). Your HIPAA Policies and Procedures need to contain specific language which is explained below. This document serves as a list of requirements and will help your company identify any areas that are either lacking or need to be updated. In the event of an audit by a government agency such as the Office of Civil Rights (OCR) or a follow up from a breach, your compliance program will be assessed. Meaning, in these events, you will be asked to provide your policies and procedures as well as the other documentation listed below.
Keep in mind that each of these policies, as well as the other components to your compliance program, need to be reviewed at least annually. This annual review needs to demonstrate updates, modifications, and changes based on new compliance regulations and standards. Your annual assessment needs to be done internally and it is strongly recommended that your program is also assessed externally by qualified professionals.
These policies should be drafted in the Scope, Purpose, Procedure format and every employee should have easy access to all of them. Ideally, online access for your employees to these policies is the best-case scenario and, with the correct platform set up, will allow tracking to demonstrate completion rates.
HIPAA Policies
HIPAA Use and Disclosure of PHI Policy — This policy needs to demonstrate how your company handles the disclosure of PHI, as well as the use. Explanations should be covered for contractors, vendors, all employees within your company and outside agencies.
HIPAA Use to the Individual Policy — This policy explains how the use of HIPAA related information applies to the individual or patient involved. This policy needs to be specific in its language addressing all the uses which are in operation. These uses may change with time and need to be updated to include the most current information. It's important to review this policy annually so that it meets current day industry standards.
HIPAA Amendment to PHI Policy — If there are amendments to PHI which you as a healthcare company provide, it must be recorded and documented. This policy should address how that process is completed and what the requirements are for completion.
HIPAA Authorization for Use Policy — Authorization requirements must include details of what authorization requirements are in place to ensure the protection of any PHI and ePHI.
HIPAA Disclosure for TPO Policy — This policy must address the standards you have in place regarding Treatment Payment and Operations (TPO) and what qualifies as meeting these standards.
HIPAA Breach Notification Policy — This policy must explain in detail the Office of Civil Rights (OCR) standards for a breach notification and how your company responds in the event of a breach.
HIPAA Designated Record Set Policy — This policy must explain what constitutes a designated record set within your company. Items can include medical and billing records and other documents containing PHI. It also needs to provide a list of what is excluded.
HIPAA Minimum Use Policy — This policy needs to explain what minimum use is and how it affects those who have access to PHI and ePHI. The explanation should include how minimum use applies to specific levels of access based on the responsibilities of job roles within your company.
HIPAA Mitigation Policy — This policy must explain the procedures you have in place when the improper use or disclosure of PHI occurs and what steps your company will take to mitigate any harmful effects.
HIPAA Non-Retaliation Policy — This policy must explain how your company will not retaliate against any individual for reporting a HIPAA compliance violation. Detailed examples of reporting violations should be explained.
HIPAA Privacy Training Policy — This policy should explain your training provisions for all employees, along with the frequency and requirements of this training.
HIPAA Sanctions Policy — This policy should explain the sanctions imposed on any employees who fail to comply with HIPAA policies and procedures, along with examples of what are considered sanction violations.
Accounting of Disclosures Policy — Any time PHI is provided to any outside agency, it must be accounted for and documented. This policy needs to address every disclosure of data which could either be PHI, ePHI, or III which could be considered at risk.
Data Privacy & Security
Data Governance Policy — This policy will provide data management and data governance standards including governance structure for data access, data usage, data integrity and consequences of noncompliance.
Data Access Policy — This policy will outline the access controls and standards you have in place for managing access. Protocols will be provided which protect all forms of data within your company, including data which is created, stored, or transmitted in any way.
Notice of Privacy — This policy will include several key components such as notice of privacy practices, duties which are required by law, how information will be used and in what capacity, governmental disclosures, and authorization for disclosures.
System and Database Security Policy — This policy will provide descriptions of how protection is provided for all information assets, along with standards of system administration, database controls, malicious software protection, configuration, backup and recovery and audit log security.
Security Vulnerability Management Policy — This policy will provide vulnerability management description including how security reviews are completed, description of system security reviews (external / internal / penetration testing) and designation of responsibilities. It will also address standards in place including risk management reviews, security monitoring, vulnerability management, patch management and system security reviews.
Risk Management Policy — This policy will address standards for risk management, security control measures in place, access controls, encryption, change management, monitoring systems, contingency planning, and training.
Access Control Policy — This policy will address Information Security and Access for all systems, network devices and databases. It will include the designation of security officer and outline user access along with formal access requests, access change and access termination.
Encryption Policy — This policy will address standards in place which include strong cryptography and encryption techniques such as SSL, TLS, IPsec to protect and safeguard data transmission over internet and wireless networks.
In addition to policies and procedure requirements for your compliance program, there are many other pieces which need to be in place so that you and your healthcare company are demonstrating a fully functional compliance program. Having these items in place will prove to government entities such as the OIG that you take compliance seriously and have implemented the required standards across your business.
Security Risk Assessment
The Security Risk Assessment (SRA) must be completed annually, and you must have records which indicate this is done consistently within your company. The SRA is meant to assess risk related to the security of data, specifically PHI and ePHI. This tool requires significant manpower to complete correctly which is why some consulting companies charge $100K to complete it.
The SRA will take each data asset that you have within your company and complete a formal risk analysis on each. All data assets which create, store, or transmit PHI and ePHI will be quantified against the likelihood of risks. Once this is scored and documented a solution must be provided for those items deemed as high risk.
Those items which are scored as high risk will require a solution immediately. This process can be lengthy, but it is a mandate by the Office of Civil Rights (OCR) which is the government entity responsible for enforcement and penalties associated with HIPAA breaches.
BAA Policy
This policy will provide how and when the Business Associate Agreement is to be used, explanation of the covered entity and business associate, requirements of signature and an example of the actual Business Associate Agreement which will include language to address HITECH, ePHI, time frame of coverage for the BAA and signature requirements.
Code of Conduct
The Code of Conduct can be used as a baseline training tool for your company. This document should include all things compliance within your company. Making this document available on your website is also advisable because it will demonstrate ease of access for not only your employees, but also any patients or vendors whom you may work with.
A strong Code of Conduct document will reflect your company's brand and will serve as a means of communicating to all that you are making every effort to have a fully functional and efficient compliance program. Content within your Code of Conduct should include the following:
- Employee Responsibilities
- Compliance with Laws and Regulations
- Business Ethics and Protection of Data
- Conflicts of Interest
- Reporting of Wrongdoing
- Compliance Hotline Information
- Letter from CEO
- Real Life Examples of Compliance
- HIPAA Statement
- Dos and Don'ts
- Training Standards
- A Summary of Federal and State Regulations, Laws and Statutes which apply to your company
Training Requirements
If your healthcare company is ever audited by a government entity such as the OIG or is investigated because of a Qui Tam / Whistleblower Lawsuit, one of the first things requested will be your training program. Your training program needs to include information which is specific to the healthcare industry. This means training which addresses HIPAA, privacy, and security, as well as the prevention of fraud, waste, and abuse which addresses regulatory training for False Claims Act (FCA), Anti-Kickback Statute (AKS), Stark Law, and Civil Monetary Penalties (CMP).
Your training program needs to be trackable for every single employee and you should have attestations for specific policies which are unique to your specialty within healthcare.
Ease of access to employees is very important and the ability to achieve at least 85% completion rate for your company regardless of if you have 5 thousand employees or 5, is very important.
Having a record for each employee which proves they were trained in HIPAA, Compliance, OSHA/Safety, and HR is required at the time they are employed and then each year they are employed.
Auditing Procedure
An ongoing auditing program with an auditing schedule needs to be implemented and joined together with risk and compliance so that it becomes a component of the program demonstrating oversight. It is strongly recommended to have not only internal audits completed of each part of your company (Marketing, Billing, IT, Operations, etc.) but to also have external audits completed.
For example, a billing audit should be conducted according to coding that ties to your company. Also, remember, a regular and consistent audit of your compliance program is recommended by the OIG to ensure your program is meeting all Compliance and HIPAA requirements.
Your audits need to be completed by qualified personnel who have appropriate certifications. The audit program should be closely tied within the compliance program with documentation to prove so.
Exclusion Check Policy
You should be running exclusion checks on every employee within your company. This policy will outline how this is done, the frequency of the checks, and what the resolution protocol consists of, if someone is identified as excluded.
Establishment of Compliance Committee and Compliance Board
The Compliance Committee (CC) should consist of key leadership within your healthcare company. The overall size of the committee will depend on the size of your company and how many departments need to be represented. The CC will function as a governing body that provides oversight for the compliance program within your company and should meet regularly with formal minutes taken and recorded. Items covered in the compliance committee meetings will include policy creation and review, risk analysis, company training oversight, reporting from key leadership, pertinent investigations, audit review, regulatory review and updates, and any other compliance issues that may arise.
Disaster Recovery Plan
Your disaster recovery plan needs to contain the plan you have in place for any type of disaster including environmental, biological, and technical. These areas should be addressed to include who is designated to provide oversight during events like a hurricane, tornado, fire, pandemic, and shutdown of cyber related systems. Mock drills which document training for all staff are imperative and should also outline what procedures are in place such as evacuation, inventory of supplies on hand, backup systems for cyber breakdown, and the protection of patients, employees, data, and physical assets.
Crisis Communication Policy
This policy will spell out who is the primary spokesperson for your healthcare company in the event of a crisis. It should also provide guidance for written and oral communication to media outlets, government agencies, patients, and employees along with who is designated to fulfill this role.
Running Exclusion Checks
Exclusion checks need to be ran consistently and regularly for all employees and vendors. Our recommendation is to complete these monthly so that you can have documentation which shows the eligibility of all employees within your healthcare company. If exclusion checks are not running consistently and regularly, you have a risk of having to pay back every claim the excluded person was involved in, and this can sometimes be a large amount of money. Additionally, there are possible large fines associated with these scenarios as well as the possibility of your healthcare company being excluded. If your company is excluded, this will usually result in that company no longer being able to participate in Medicare, Medicaid, and any federally funded programs including commercial claims that may have a federal component as part of their plan.
Ethics Hotline Reporting
Ethics hotline reporting serves to demonstrate ethics to your customers/patients as well as to your employees. The hotline will provide assurance that your company is operating at the highest ethical levels.
It should be set up to allow complete anonymity for the reporter with the understanding that any form of retaliation will not be tolerated. Promotion of the hotline should be available to all staff as well as customers/patients. The promotional materials can be placed on your website as well as in physical locations (posters/fliers) to convey the areas of focus which include Anti-Bullying, Anti-Harassment, Anti-Bias, Anti-Fraud and Pro Employee and Patient Safety. Access to the Ethics hotline should be available in the form of phone, text, email, and website. The very best way to demonstrate that the ethics hotline is taken seriously is to have it implemented and controlled by a third-party vendor.
Another benefit of the ethics hotline is prevention of Qui Tam / Whistleblower Lawsuits against your company. Whistleblower lawsuits within the healthcare industry have accounted for billions of dollars in fines and penalties every year for the past decade. This means that the likelihood of your healthcare company facing a whistleblower lawsuit is extremely high. Why? Because the whistleblower lawsuit environment has been given a high priority by the government and this has caused a huge increase in these types of cases.
BAA / Business Associate Agreement
The BAA is essentially a contract between your business (Covered Entity) and another business (Business Associate) who deals with any form of PHI or ePHI. The BAA acts as a way of demonstrating that the company you are working with abides by the standards within HIPAA and HIPAA privacy rules. If this business associate ever has a breach, then the BAA acts as a way of proving that you are not held liable because of what is stated in the BAA and in fact you are protected because the business associate has agreed to follow all HIPAA and HIPAA privacy rules. The BAA needs to have language which addresses the HITECH Act as well as a start and stop duration for when the agreement is in effect. It also must be signed by someone with the authority to do so. Additionally, having all your BAAs signed, reviewed, and updated yearly is required. It is a good idea to assign oversight of all your BAAs to a designated privacy officer so that all records are organized and easily accessed in one location.
Designating Chief of Compliance and Privacy Officer
The OIG (Office of Inspector General) provides details of what a compliance program for a healthcare company needs to contain. One of those details is the designation of a Chief Compliance Officer and Chief Privacy Officer. The best-case scenario is to hire this individual or individuals to focus solely on compliance within your company. However, depending on the size of your healthcare company and budget availability, this may or may not be possible. One option is hiring a consulting agency to run this for your company such as www.hippomt.com. This option is usually much cheaper than hiring a full-time compliance officer.
Beware of assigning this role to someone with little or no qualifications within your company as this can often result in more problems.
Need Help Building Your Compliance Program?
Written by Darren Speed — Chief Compliance and Privacy Officer, HIPPO MT
If you would like HIPPO MT to help you with any of your Compliance, Privacy, Ethics, or Security needs, please contact us at 817-422-1413 or visit our website at www.hippomt.com.