Compliance officers everywhere want to believe the compliance program they oversee is effective. Some believe it is effective, some hope it will be found effective and some know the program is not effective because of significant gaps in one or more of the seven elements of an effective compliance program. If you are a believer, ask yourself, “What methods have I established to demonstrate effectiveness?” If you are filled with hope – well hope is not a strategy. If you know your program has gaps, what are you doing to address those gaps? An additional resource now exists to help evaluate effectiveness. The OIG/HCCA Measuring Compliance Program Effectiveness: A Resource Guide released March 27, 2017, provides recommendations on what to measure and how to measure it under each of the seven elements.
Most healthcare organizations today have a compliance program, but how many can say the program is effective and more importantly feel confident they could demonstrate effectiveness? It is not uncommon to hear, “I cannot define effectiveness but I know it when I see it.” Why is this important? All compliance professionals know having a paper compliance program (compliance plan that sits on the shelf along with well drafted but not implemented policies and procedures) is not effective. But as one assesses what an organization is doing as it relates to the seven elements of an effective compliance program based on the Federal Sentencing Guidelines and all the various OIG compliance program guidance documents, the process gets more convoluted. How much is enough, and do you just want to do “the bare minimum”?
Covered entities deal with many complex privacy and information security issues, but institutions that conduct research have an additional level of complexity. Key to understanding the implications of privacy obligations in research is understanding the multiple regulations that could apply to human subject research.
My colleague David Holtzman recently wrote a blog post on the OCR resolution agreement with the University of Massachusetts at Amherst (UMass). UMass designated itself as a hybrid entity but did not appropriately identify and designate all applicable functions that engaged in health care activities as inside the health care components (HCC) of its hybrid entity structure under HIPAA. Why might this not be as easy as it sounds?
For many things in health care, if you don’t spend the energy and resources to reduce risks now you will likely pay for it later. However, if you wait until later it will cost more to take care of the problem than it would have to prevent it. We all know if we eat healthy, exercise and get our routine medical and dental examinations the risk of serious health conditions is reduced. Catching a disease early could mean the difference