The state of compliance

18-12-2014

The state of compliance

Tasked with managing regulatory risk, chief compliance officers often have to fight for a place at the table when key financial and operational decisions are to be made. HRMR considers the findings of PwC’s latest brief.

In a healthcare environment where reimbursement is down, costs are up and competition to survive is driving mergers, acquisitions and affiliations that until recently were virtually unheard of, those responsible for compliance face new challenges.

Chief among these is the need to demonstrate the value they and a compliance program bring to a healthcare organization, even though the compliance function is not generally revenue-producing.

These are key findings of PwC’s State of Compliance 2014: Healthcare provider industry brief, which details healthcare industry professionals’ views about the role of a chief compliance officer (CCO) in managing the risk and regulatory landscape. It found that CCOs face significant challenges, notably the need to have a seat at the table where key decisions are made.

“Many of these CCOs don’t have a seat with senior leadership,” says Terry Puchley, PwC’s risk assurance healthcare compliance leader. “Organizations do a better job of driving down compliance risk by getting the CCOs involved—in the strategy, in understanding where the organization is going, and in being part of the due diligence teams. That’s where the CCOs are headed, especially in some of the leading organizations.”

Key to PwC’s message is the fact that good compliance means good business. Compliance can be leveraged for competitive advantage—but this can only happen if the CCOs are able to access the resources and the skillsets that they need.

“They also need to be able to leverage technology in the analysis of data in order to be effective. A good CCO is going to understand the impact of population health, and the impact of quality measures on patient care. They’re going to understand what impact compliance can have across quality ratings and how that can impact reimbursement and overall profitability.

“Are all CCOs there? No. But that’s the direction we’re seeing the organisations moving in. The boards are expecting these things of their CCOs; they are seeing them as part of their strategic organization. They are going to help them make the right decisions and leverage compliance as a competitive advantage. It’s about patient safety, it’s about member care, and it’s about access to care.”

She adds that the CCO and risk manager can support each other’s functions, working together on risk assessments and honing processes and leveraging technology to ensure their organization meets compliance requirements.

The overall shift in compliance is away from fear of the regulators towards the promotion of good business practices, with an integrated approach to risk management, internal audit and compliance.

“If you do this right you’re going to have a more integrated approach and limit the amount of overlap between these functions,” says Puchley. “You’ll be able to determine if anything has dropped through the cracks, and the CCO will be involved in helping the organization deal with the strategic business, not just the business of compliance.”

Key findings of the PwC report

1. The majority of healthcare providers have a dedicated CCO reporting directly to the CEO or board of directors, yet challenges remain.

The majority of respondents (86 percent) indicated they have a designated CCO who reports directly to either the board of directors or the CEO.

“Those reporting lines are encouraging and can be crucial to the success of the CCO and the compliance program itself,” states the report.

It expressed concern, however, regarding the 14 percent of respondents who indicated they had no designated CCO.

“In today’s highly regulated provider industry, how is that possible? Compliance programs—even for healthcare providers—are not mandatory. Even though the government is contemplating establishment of a mandatory requirement, currently compliance programs are voluntary, which likely explains the 14 percent of respondents with no designated CCO.”

It added that although the government encourages compliance programs and considers an effective compliance program as a mitigating factor when assessing penalties for violations, there are still organizations that have yet to embrace the idea of the necessity for the function. Furthermore, it found that 43 percent of CCOs still have other responsibilities—and responsibility for other functions.

“When a CCO’s time is divided over responsibilities and functions other than those in the company’s compliance program, then managing the risk of not meeting regulatory requirements tends to take second place—or to receive less attention,” the report stated. When the compliance role is accompanied by operational or legal functions, for example, these tend to dominate, eroding the importance of the compliance function.

It added that the growing challenge of reduced reimbursement, the brokering of strategic alliances, mergers or acquisitions, increased costs, and enormous technology upgrades and system implementations take the focus off managing regulatory risks and funding those activities.

“Given those challenges, CCOs are faced with demonstrating how the compliance function involves more than just the management of regulatory risk,” it stated. “Most CCOs are acutely aware of the need to show the expansiveness of the function and the role, and they have diversified the kinds of talent a compliance department now requires.”

It said that whereas the profession used to be dominated largely by those in the legal profession, these days progressive compliance departments are also staffed with data analysts and professionals with clinical backgrounds and business acumen.

The report recommended that CCOs become proactive in getting themselves a seat at the table when key decisions are to be made within their organization.

“That might require inviting themselves and getting somewhat aggressive in educating their operational and clinical brethren that in general, most operational functions and strategic initiatives involve regulation or regulatory risk at some juncture, so to include compliance early and often is in the best interest of the organization,” it said.

2. Privacy and confidentiality represent the leading current and future regulatory risks that are top of mind among healthcare providers.

“As was the case last year, healthcare providers continue saying their top areas of current and future concerns are privacy and confidentiality—perhaps not surprisingly,” stated the report.

Significant data breaches (those involving more than 500 individuals) seem to be reported every day, and regulators are increasingly imposing heavy fines and penalties for those occurrences.

“Perhaps just as impactful is the damage to brand and reputation,” it added. “Healthcare providers are keenly aware that in today’s competitive healthcare environment, patient consumers have a choice; and if they perceive their personal healthcare information is at risk or vulnerable, they may seek other provider options.

“Add to the equation increased levels of regulatory scrutiny, and it is not surprising that for the second year in a row, survey results show privacy and confidentiality remain top of mind among provider CCOs.”

The Office for Civil Rights (OCR) has completed its pilot audits for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security regulatory requirements and has announced a phase 2 round of audits which was scheduled to begin in the fall of 2014. The phase 2 audits are purposely designed to reach more covered entities (ie, payers, providers, and healthcare clearinghouses) than the pilot program did. The OCR estimates it will conduct 350 audits, which is more than triple the number of audits conducted during the pilot.

“For good reason, most providers have had a shift in thinking, from ‘if an audit were to happen’ to ‘when an audit will happen’,” stated the report.

It said that covered entities should use the current lead time to fill gaps in their policies and procedures and to consider the best way of demonstrating their compliance with HIPAA requirements.

“For the CCO, the challenge is to engage the organization to understand that an OCR audit is not a compliance or IT issue but, rather, a responsibility that is embedded in all aspects of operations. The HIPAA regulatory requirements are pervasive and apply to all members of the workforce involved in ensuring that patient information is gathered, used, disclosed, and maintained properly,” it said.

3. Communication is evolving with the increase in social media use.

The report found that more than half of respondents said they communicate information about compliance and ethics topics through internal social media channels, which is a notable increase from last year’s 33 percent.

“The use of social media—even if limited to the use of internal mechanisms—is a trend that is likely in the right direction,” it said. “Compliance functions can benefit from that evolution by continuing to build awareness among a workforce that is increasingly using some form or multiple forms of social media as vehicles to receive content.”

It said that, with the myriad rules and regulations governing healthcare, compliance has become increasingly complex, and there is no shortage of new regulations or new amendments to existing regulatory requirements.

“In the recent past alone, many new rules or regulatory requirements have been issued, only to get delayed in their implementation or enforcement by the regulators themselves, which acknowledges the challenges inherent in operationalizing and complying with regulations as intended,” it said.

It added that communicating with workforces and educating them on these complex and ever-evolving requirements are challenges too.

“Newsletters and announcements are still viable communication mechanisms, but the rapid pace of technology change is driving change in the ways society as a whole communicates.” It added that PwC hopes the increasing trend toward social media for communicating about compliance and ethics will continue as CCOs embrace technology and current modes of communication to raise awareness.

“The use of social media shows no signs of slowing down, so harnessing and recognizing the power of social media and technology as tools in efforts to continually raise awareness of the complex regulatory environment are likely to have positive effects on workforce members’ understanding of both the role of the compliance function and their own individual roles and responsibilities in assisting their organizations to remain compliant,” it stated.

compliance, CCOs, healthcare, risk, regulatory, PwC