Compliance University
by Neil B. Caesar
December 13, 2016

Some health care companies treat rules like virulent contagions that spread panic and confusion within their organizations. This seemingly infectious bug—the compliance panic virus—causes a dreaded disease: rule overload. However, there is a vaccine.

This vaccine is found in training. Not training specifically in HIPAA rules, anti-fraud regulation or Medicare reimbursement guidelines. Rather, the cure is to teach personnel how your day-to-day operational policies and procedures already address these rules.

“The rules” require you to have compliant policies and procedures. They do not require that you teach or learn the hundreds of pages of regulatory rules. Instead, teach the following lessons:

  1. How to follow your company’s policies and procedures
  2. How these policies and procedures deal with compliance
  3. What to do if there are questions or concerns

Instead of reciting HIPAA regulations, show your staff how your systems are designed to preserve patient confidentiality and privacy. Instead of discussing how the Balanced Budget Act of 1997 combines with the anti-kickback laws to regulate hospital discharge planning activities, preferred provider arrangements and unfair referral patterns, show them how your systems have been modified to address current hospital marketing activities.

Equally important, explain how to bring problems to management’s attention and how to ask questions. In other words, teach your personnel how to trust the systems you have in place.

Don’t Allow Complex Rules to Produce Over-Compliance or Ignorance

The government’s rules are often complex, which creates a perfect recipe for over-compliance that erects barriers to efficient and effective training, as well as to efficient delivery of services. Because of the previously mentioned panic virus, many homecare companies consider virtually every activity they undertake as a potential violation of Medicare, HIPAA or other rules. They then implement ad hoc policies and procedures at such a frantic pace that they barely have time to write them down.

Others operate without carefully verifying compliance requirements, figuring that the burden of compliance outweighs the risk of noncompliance. Ironically, both of these reactions often magnify the paranoia that can be caused by the compliance panic
virus. The best way to combat these reactions is by training on proper policies and procedures.

Write Policies and Procedures to Make Training Easier

When policies are developed, they should be crafted with an eye not only toward daily use as a compliance reference, but also as a training device. The policy manual is what staff will refer to daily, so it should also become their training document source.

Effective policies include two components: a policy statement followed by procedural instructions. For example, charges to patients for copies of records. A HIPAA-compliant, effective policy on records copying fees might look like this:

State law permits us to charge patients a fee for copies of their records up to certain limits, plus sales tax and postage as applicable. Section 164.524 of the HIPAA Privacy Regulation states that a patient may be charged a reasonable, cost-based fee for copies of medical records plus postage. It does not specify a maximum authorized charge.

In light of these rules, we have adopted the following procedure: when a patient requests a copy of his or her records, we will charge $.65 per page for the first 30 pages, and $.50 for every page over 30.

If the records are not on-site and must be retrieved from storage, a $15 clerical fee will be charged. The patient will be given a completed copy of the records invoice form attached to this policy and will be asked for payment in advance. Requests for exceptions to this policy must be referred to the privacy officer.

This is an effective policy for training because it explains the underlying mandates in clear terms and establishes the rationale behind the policy statement.