Welcome back to Compliance University! Since our last session, the Health Insurance Portability and Accountability Act's privacy provisions have taken effect, and most of you have the necessary policies in place. Some of you (the wiser ones, in my opinion) are beginning to realize that it is not enough to know “the rules.”
But if HIPAA compliance is not about the rules and the policies, what is it about? The secret is to create a system to manage compliant procedures. Then, run the system, don't run the rules. Teach the procedures, don't teach the law. Monitor the activity, don't monitor the words.
At its core, an effective compliance program is a “systems management” program with a few key elements. To create the system, you should:
Identify the way you do things.
Verify that your process is compliant with all necessary rules, both outside laws and internal policies.
Write down your existing compliant procedures in a clear form that can be used by everyone who must follow the procedures.
Finally, install a system that:
Monitors adherence to your compliance policies.
Requires reporting of questions or concerns about the policies and your employees' adherence to them.
Investigates these questions and concerns, and resolves them with appropriate accountability by all involved.
Enables those responsible to monitor new developments in the rules that govern the system — both external laws and internal shifts in management priorities.
This list can be used for all compliance initiatives, including HIPAA compliance, accurate billing and anti-fraud compliance. The system also can be effective for all operations, even those that don't necessarily implicate HIPAA or the reimbursement and anti-fraud rules. Are we stocking and taking inventory correctly? Are we warehousing and delivering correctly? Are we billing correctly? Are we managing our receivables and our payables correctly? The answer to all of these questions may lie in some variation of the approach outlined above.
Note that only the first three steps of this pathway to effective compliance are required by HIPAA rules. The remaining steps create the system to manage the rules, and become the “glue” that holds your HIPAA compliance efforts together.
This systems management approach ensures that your policies and forms are monitored, that problems are identified and investigated and that the quality improvement of the system is ongoing. The system provides continuity, clarity and comfort in knowing that you can control the confidentiality and security of your protected health information.
The key is a compliant culture, with a clear system you can use to train your staff on how to do things (which is not the same as teaching them about the law): where you memorialize procedures so that everyone knows exactly what should be done; where you monitor compliance with the procedures; where you require people to alert you to problems; where you investigate problems; and where you fix mistakes.
HIPAA security compliance requires you to do what is “reasonable.” This is a vague concept, and it won't take long to spend enough money, and time, to become safe — but broke. At the end, you could still wind up with an unsecured operation. All it takes is one staffer who is insuffieicntly trained in your culture of security compliance to defeat thousands of dollars worth of security hardware, software and other gadgetry. Remember that all the locks in the world don't matter if you don't close the door.
Neil Caeser is president of the Health Law Center (Neil B. Caesar Law Associates, PA), a national health law practice in Greenville, S.C. He also is a principal with Caesar Cohen Ltd., which offers compliance training, outsourcing and consulting, and the author and editor-in-chief of the Home Care Compliance Answer Book. He may be reached via e-mail at ncaesar@healthlawcenter.com or by telephone at 864/676-9075.
