The touchstone for measuring health care compliance programs effectiveness is the Office of Inspector General’s Seven Elements of an Effective Compliance Program (Seven Elements) derived from the Organizational Sentencing Guidelines promulgated by the U.S. Sentencing Commission.1
Entire treatises could be written on each of the elements, but they basically boil down to: designation of a compliance officer and committee; written policies, procedures, and a standard, or code, of conduct; open lines of communication; training and education; monitoring and auditing; enforcing standards through well-publicized disciplinary guidelines; and promptly responding to detected offenses and taking corrective action.
Arguably, the most underappreciated, overlooked, and important of these elements is that of written policies and procedures (P&Ps). P&Ps are the workhorse of a compliance program, i.e., if done right, they will dependably serve an organization for years.
Why Are Effective P&Ps Important?
Why are effective P&Ps so valuable from a compliance standpoint? If utilized properly, they:
- Establish organizational goals, set tone and culture, describe expected behaviors, and contribute to other employee accountability tools
- Train and educate employees not only at onboarding but on an ongoing basis
- Facilitate succession planning and contribute to sound business continuity, e.g., the old adage of “what if key employee Sally is hit by a bus, who will do her job?” applies here
- Provide legally defensible documentation that complies with regulatory, accreditation, and contractual requirements, which may help avoid litigation, fines, and loss of business, i.e., function as a critical risk mitigation tool
- Serve as a foundation for business process improvement
In the health care sector, it is not an exaggeration to state that effective P&Ps can also literally save lives.
How to Start (and Finish!)?
Most medium to large-sized organizations have at least some basic written policies and procedures, most likely human resource-related, although their quality, completeness, and currency may be lacking. However, even small business can benefit from having effective P&Ps.
Whether starting from scratch or working to improve existing P&Ps, the entire process and even getting started can be overwhelming.
IRAC for P&Ps
Instead of tackling P&P creation and improvement wholesale, or, worse, ignoring it completely, take a step-by-step approach along the lines of the IRAC (Issue, Rule, Analysis, Conclusion) method for briefing a legal issue.
First, identify key organizational risks, i.e., what is the issue or concern that needs to be addressed? This process may be as formal as undertaking enterprise risk management or as simple as a sense of an organization’s highest risk areas based on the legal and other authority or contracts to which the organization are subject.
Considering what other similarly situated organizations have identified as common risks may also be useful. For most organizations, human resources (think classification issues and wage-and-hour litigation) and information security (what organization does not have at least some confidential data, let alone personally identifiable information?) will be among the highest-risk areas. In health care in particular, add to that safeguarding protected health information and the obligations that come with receiving government money, and you have the start of a good list of organizational risk areas.
Second, determine what authority the organization is subject to; that is, what are the rules with which your organization must comply? Think broadly—this is one area you do not want to give short shrift. Look to statutes, regulations, opinions and other regulatory guidance, court cases, accreditation standards, and key contracts, not the least of which is government contracts.
Next, rally the troops. Bring in the business owners, key stakeholders, and subject matter experts that will have to abide by the P&Ps to draft and analyze the requirements and describe how policies are actually implemented at your organization. Again, think broadly. With today’s software and process integrations, it may be difficult to know whether the work of one area will impact that of another.
Check for interactions with other departments, software, business processes, and existing P&Ps. Perhaps most importantly, never reinvent the wheel. Look for samples from colleagues, professional associations, and other similarly situated organizations.
One caveat: while organizational policies may be similar, their procedures most likely are not. For example, the policy of most health care entities is (should be!) to prevent and detect fraud, waste, and abuse. The procedures each organization employs in pursuit of that policy, however, will vary significantly.
Leave time for ample and broad review by all stakeholders, including legal, compliance, management, and the line staff that implement the procedures on a day-to-day basis. Management may be chagrined to find that line staff are not following the procedures they thought they were for numerous reasons, including that they are not up-to-date, onerous, inefficient, or are intentionally being skirted for possibly questionable or bad-faith reasons.
Also, avoid falling into the trap of using legalese and overly technical language wherever possible. It is great to have written P&Ps, but not so great if the intended audience (staff, but don’t forget about regulators and accreditors) cannot understand them.
Unfortunately, even with a polished final product, the work is not finished. Rather, that shiny new P&P must be publicized to those to whom it applies and thorough training and education must be undertaken. Ideally, who received the training and when is documented.
Additionally, best practice dictates that all P&Ps be reviewed at least annually and updated as needed; for example, when a law is changed, an accreditation standard tweaked, or new hardware, software, or a business process is implemented.
What Should P&Ps Include?
There are literally dozens of P&P templates available online. The most effective will have the following sections at minimum:
- Scope: What is the scope of the P&P? Who or what does it apply to? For some organizations, it will be a line of business for another, a particular customer, and others, a department.
- Roles and Responsibilities: Who is responsible for what with regard to that P&P? Roles and Responsibilities are best defined by department and/or job title, and not by a specific employee’s name, for business continuity purposes.
- Responsibilities should also be specific and if at all possible, measurable. For example, a fraud, waste, and abuse P&P may require a claims department manager to review 10% of each claims examiners weekly output. Here, the claims manager’s role is defined and the responsibility is clear and measurable. This section is particularly important to consider when determining whether and how a P&P can be monitored or audited, another of the Seven Elements. Moreover, if staff have questions or concerns, this section provides them with guidance on who to consult and aids in enforcing employee accountability.
- Definitions and Acronyms: Best practice is to include these near the beginning of the P&P so that the user does not need to page back and forth to understand the multiple acronyms and sometimes highly technical definitions employed in health care.
- Exceptions: Describe any exceptions to the P&P (in some cases, there may be no wiggle room) and how an exception should be requested and whether it should be granted. For example, describe under what circumstances an exception to an employee’s use of paid time off may be allowed and who should review and decide upon that exception.
- Enforcement: Although it may seem heavy-handed, part of the purpose of P&Ps, particularly in helping to ensure an organization has an effective compliance program, is to publicize the consequences for non-compliance with requirements. Those subject to the P&P should understand what may or will happen if they do not follow the rules.
- References/Authority: While sometimes separated into two sections, at least one section should be dedicated to the legal and other authority that require the P&P and to any other related documents, whether internal or external. This is especially helpful in determining what P&Ps are impacted and should be updated when changes to the law and other authority occur.
- Revision History and Reviewer: While the information regarding who is responsible for reviewing and approving the P&P and its review cycle can be kept elsewhere, it is simpler to include this information within the P&P itself. Revision history is particularly helpful when dealing with a regulatory action or litigation—tracking down the language of prior P&Ps can be time consuming and sometimes impossible, depending on the sophistication of an organization’s record-retention practices.
Maintaining a master list of P&Ps is another best practice that organizations should consider. This can be as simple as an Excel sheet or as complex as governance, risk, and compliance software.
Regardless, tracking information should include a number of data points, such as the P&P’s name and purpose; owner (department, division, manager, etc.); authority; version history; and a description of the review cycle. It is also helpful to include an indicator as to whether a particular P&P must be reviewed and approved by a regulator, accreditor, and/or contractor if it is substantively amended.
There is disagreement about whether P&Ps should be separated into two or more documents, i.e., one document setting forth the policy and a second describing the associated procedure. Each approach has pros and cons that may depend on a particular organization and its culture.
For example, if P&Ps are only available to staff in paper form, it may make more sense to have a single document for both the policy and the procedure so they are less likely to get separated, whereas if they are available electronically, multiple documents are easier to manage.
In some instances, two documents may be the way to go where the organization wants to make the policy available to the general staff—e.g., the HR policy on employee classifications—but limit public access to the related procedure.
Another advantage of separate policy and procedure documents is simplification of annual and other reviews. While most policies will not change from year-to-year, for example, an organization’s commitment to preventing and detecting fraud is not likely to alter, the implementing procedures for that policy may be subject to multiple revisions over time. Keeping separate documents may help maximize flexibility in drafting and review.
Effective written P&Ps can help meet multiple of the Seven Elements, if drafted and maintained in a thoughtful manner.
While creating and maintaining P&Ps can be daunting, keep in mind their unequivocal role in supporting an effective compliance program.
As a leading change facilitator in this era of sweeping health care reform, the Mazars Health Care Group offers health care payors and providers a powerful combination of service and results-oriented strategy to help them meet their business goals, overcome challenges, and improve performance. For more information about their timely, valuable information and insights into policies, best practices and industry developments, visit mazarsusa.com/hc.
1 Federal Sentencing Guidelines Manual, 18 U.S.C.A. § 8B2.1 (2016), available at https://www.ussc.gov/guidelines/2016-guidelines-manual/2016-chapter-8#NaN