Implementing policies and procedures - Health Care Compliance ...

Volume SevenNumber FourApril 2005Published MonthlyREGISTER TODAY!FOR THE ADVANCED ACADEMY JUNE 20-23, 2005HYATT AT FISHERMAN’S WHARF SAN FRANCISCO, CAFor more information go visit, www.hcca-info.org or see page 36 of this issue.INSIDELeadership letter234610141620222528On the CalendarMedicare’s psychiatricreimbursementOIG's ComplianceGuidanceFederal enforcementpoliciesMeet Odell GuytonValuing physicianservices agreementsCEO’s letterImplementing policiesand proceduresAuditing for HIPAAOIG guidance forhospitals

April 200522COMPLIANCEFOCUSGROUPHCCA/AHIA■ Understand laws and regulations■ Obtain and/or establish policies forspecific issues and areasdures most relevant to your organization2. Identifying the various types of compliancepolicies and proceduresImplementinga core set ofcompliance policies and proceduresBy Randall BrownEditor's note: This is the sixth article in aseries offered by The HCCA/AHIAAuditing & Monitoring Focus Groupregarding seven components to expandon the roles of compliance and internalaudit functions, provide detailed "how tosteps", and discuss the essential coordinationlinks between compliance, internalaudit, legal, and management that arenecessary for each component. The finalarticle will address compliance education/awareness tools and techniques. Theauthor's contact information may befound at the end of this article.A focus group of Health CareCompliance Association (HCCA) andAssociation of Healthcare InternalAuditors (AHIA) members has beenmeeting the past nine months toexplore opportunities to better defineand explain auditing and monitoring,clarify the roles of compliance, andinternal audit functions as they addressissues within their health care organizations,and develop guidance and referencematerials on key aspects of healthcare auditing and monitoring processes.The Seven Component Frameworkdeveloped by the HCCA/AHIA focusgroup for compliance auditing andmonitoring is comprised of the followingactivities:■ Perform a risk assessment and determinethe level of risk■ Educate on the policies and proceduresand communicate awareness■ Monitor compliance with laws, regulations,and policies■ Audit the highest risk areas■ Re-educate staff on regulations andissues identified in the auditThis article provides guidance on implementinga core set of compliance policiesand procedures.The requirement to establish writtenpolicies and procedures is listed as thefirst element of the seven elements ofan effective compliance program identifiedby the U.S. Department of Healthand Human Services Office of InspectorGeneral (OIG). This fact demonstratesthe importance of health care organizationshaving written compliance policiesand procedures to serve as a guide forestablishing and maintaining an effectivecompliance program.The policies and procedures developedby an organization should address itsprincipal risks, clarify the purpose of thecompliance program, establish internalstandards for compliance with laws andregulations, aid in the communication oforganizational values and expectationsregarding employee behavior, and facilitateemployees' understanding of theconsequences of non-compliance, forboth the organization and the individual. 1This article focuses on the followingsteps necessary to implement a core setof compliance policies and procedures:1. Determining those policies and proce-3. Establishing the role of theCompliance Officer related to theImplementation of compliance policiesand procedures4. Implementing a process for ongoingcommunication and updating of compliancepolicies and proceduresDetermining those policies and proceduresmost relevant to your organizationIn preparing to develop your organization'scompliance policies and procedures,it is important to establish someground rules to aid in consistent andeffective communication of those policiesand procedures.We suggest:■ First, establish a standard format inwhich all policies and procedureswill be written. Having a standardwill provide consistency in how thepolicies and procedures look andallow employees to readily recognizethem as relevant to compliance.■ Second, it is important to establish acontrolled revision process for allpolicies and procedures, includingmaintaining a history of changesmade over time. A crucial part of thisrevision process is to ensure the policiesand procedures are reviewedand approved by all relevant partiesbefore being communicated to theentire organization.■ Third, ensure the policies and proceduresare readily available toemployees, management, and theBoard for quick reference/clarification.Having these policies and proceduresin a location and format thatHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org

is easy for employees to find andread increases the likelihood thatthey will have an adequate understandingof them.An organization should develop policiesand procedures which are designed toaddress its principal business risks. Thisis facilitated by the organization periodicallyassessing its risks to identify and prioritizeits greatest risk areas. Tips on howto conduct a compliance risk assessmentcan be found in the article titled"Performing a Compliance RiskAssessment" published in the November2004 issue of Compliance Today. Therisk assessment should take into considerationissues identified in the OIG WorkPlan, recent enforcement actions by theOIG, and other government agencies, aswell as any significant internal controlweaknesses which have been previouslyidentified within the organization. 2In developing its core set of compliancepolicies and procedures, an organizationshould include policies and proceduresthat describe the purpose, function, andauthority of its compliance program.Figure 1Start by reviewing the objectives, rights,and authorities that have been outlinedin your organization's compliance charterand the job description of yourCorporate Compliance Officer.Additionally, review the establishedCode of Conduct and those processes inplace to promptly identify and remedyinstances of non-compliance to ensurethat the organization's policies and proceduresaddress the seven elements ofan effective compliance program asdefined by the OIG.Identifying various types of compliancepolicies and proceduresEstablishing an effective compliance programdoes not require the developmentof hundreds or even dozens of policiesand procedures. Most compliance programsinclude policies and proceduresthat fall into the following categories:■ Policies relating to the operation ofthe compliance program (CP) - Thesepolicies are typically focused on"operationalizing" the complianceprogram. Policies may include informationregarding the complianceprogram itself, the reporting mechanismsthat have been established,expectations regarding employeeconduct related to various complianceissues, and corrective/disciplinaryactions for violations of thecode of conduct.■ Policies addressing the organization'ssignificant compliance-related risks(CR) - Health care organizations facecompliance risks related to numerousand complex regulations. The policiesto address these risks may varybased on the type or specialty of anorganization.Figure 1 is a representative list of thetypes of policies and procedures thatmost health care organizations shouldconsider including as part of its core setof compliance policies and procedures.Establishing the role of the complianceofficer related to the implementationof compliance policies andproceduresThe Compliance Officer serves as thefocal point for compliance activities andis responsible for oversight of the development,implementation, and dailyoperation of the compliance programand any related policies and procedures.The Compliance Officer is alsoresponsible for identifying those compliancepolicies and procedures which arerequired for the organization.The Compliance Officer works in conjunctionwith organizational managementand its Board to ensure the compliancepolicies and procedures currentlyin place or under development:■ are in agreement with existingprocessesContinued on page 24April 200523