Web-Tones

Element 2: Compliance Program Administration

What to Measure

How to Measure

HIPAA Survival Guide (HSG)

Board of Directors:

2.1

Active Board of Directors

·         Review minutes of meetings where Compliance Officer reports in‐person to the Audit and Compliance Committee of the Board of Directors on a quarterly basis

See self-audits. See Checklists. CO required to report to Executive Team on numerous topics on a periodic basis.

·         Conduct inventory of reports given to board and applicable committees.

Id.

2.2

·         Review of training and responsibilities as reflected in meeting minutes and other documents (training materials, newsletters, etc.). Do minutes reflect board’s understanding?

Id.

Board understanding and oversight of their responsibilities

·         Review/audit board education – how often is it conducted? Conduct interviews to assess board understanding.

Executive Team responsible for reporting to Board on an as needed basis; no formal process for that.

2.3

Appropriate escalation to oversight body

·         Review minutes/checklist in compliance officer files

See self-audits.

2.4

Commitment from top

·         Review compliance program resources (budget, staff).

Id.

·         Review documentation to ensure staff, board and management are actively involved in the program.

Id.

·         Conduct interviews of board, management and staff.

Id. Interviews only go as far up as the Executive Team.

2.5

Process for escalation and accountability

Process review (document review, interviews, etc.). Is there timely reporting and resolution of matters?

 Id.

Compliance Budget:

2.6

Appropriate oversight of budget

Review charter of governing body (Board) to verify it includes approval of compliance budget

Budget approved at the level of the Executive Team.

2.7

Budget is based on an assessment of risk and program improvement/effectiveness

Is the Board’s approval of the budget based on identified risks and effectiveness evaluation/program improvement?

Latest Risk Assessment conducted in Expresso™ serve as input to the budget process.

2.8

Sufficient compliance program resources (budget, staffing)

Review budget and staffing to ensure significant risks are managed appropriately

 Id.

Compliance Committees:

2.9

Active involvement of compliance committee members

Track percentage of attendance of each compliance committee member over the last year

Executive Team owns the HCI in many substantive respects, including approving budget and resources.

2.1

Assure that the compliance oversight committee goals and functions are outlined

Review charter of committee

No charter unless Executive Team deems it necessary to create one.

2.11

Committee structure

Review documentation of structure of committees as well as charters. Ensure no conflicting charters.

 Id. Executive Team functions as the governance committee.

2.12

Compliance committee composition and attendance

Review charter and minutes to assure attendance.

 Id.

2.13

Cascade administration of compliance program throughout the organization

Different operational areas give some certification/disclosure to the compliance office

Feedback is sought from distinct functional groups on an as needed basis especially during the performance of self-audits.

2.14

Composition of Compliance Committee

Review organizational chart to validate correct composition

 See self-audits.

2.15

Effectiveness of compliance committee meetings

Keep executive report card by member qualitative/quantitative with indicators of contribution on topics

Tracking of the HCI is kept is the following Scorecards: (1) Privacy Rule; (2) Security Rule; (3) Breach Notification Rule; and (4) Cloud, Social Media, and Mobile.

2.16

Engagement

In the last two years, have the compliance committee meetings been held in accordance with the charter?

See self-audits.

2.17

Engagement of Directors/Managers

Review committee structure to evaluate how directors/managers are participating in Compliance Operational Committee(s) meeting includes agenda, minutes, attendance and reports from subcommittees

See self-audits. See required reporting to the Executive Team.

2.18

Executive Leadership engaged in Compliance Program

Review frequency of meetings, membership, attendance, agenda and minutes over the past year of the Compliance Executive Committee to include all members of the Senior Executive team receiving information directly from the Compliance Officer

 Id.

Accountability:

2.19

Leadership accountability

Audit documentation and conduct interviews. Some examples might include:

Id.

·         Employee education completion rates

See Workforce training;

·         Demonstration of promotion of compliance (e.g., town hall meeting presentations, newsletters, etc.)

See self-audits. Process requires security reminders in compliance with the HIPAA Security Rule.

·         Completion of audit or review action items within established time frame

See self-audits.

2.2

Management accountability for compliance

Process and document review and interviews.

Id.

·         Is there a mapping of operational or management responsible for championing compliance?

See Executive Team governance committee.

·         Is there a mapping of management responsible for key areas of compliance to ensure accountability?

Id.

·         Does top management support the compliance team?

Id.

Compliance Officer:

2.21

Competency

·         Certification (CHC, CHPC, CHRC)

Our Subscription Plan offers a certification program based on over 200 questions corresponding to over 15 courses.

·         Annual evaluation, coaching, corrective action, professional development

CO’s are encouraged to attend our FREE monthly webinars where review past topics and discuss either new guidance or changes in the law.

2.22

Is the compliance officer a key stakeholder in the strategic initiatives of the organization

·         Review participation of compliance officer in strategic planning process and due diligence processes.

See self-audits. See Executive Team governance committee.

2.23

Compliance department involvement in enterprise‐ wide initiatives/entities/strategies (e.g., involvement or penetration in joint venture initiatives and other organizational inventory)

·         Process review, including review of organizational chart to ensure compliance captures enterprise‐wide entities.

Id.

·         Interviews with compliance and other committees.

2.24

Compliance independence/compliance structure

·         Does the reporting structure reflects the "express" authority required?

Id.

·         Audit program charters (compliance program or Audit committee)

Id.

2.25

Compliance integration

Audit to determine the extent to which compliance officer is involved in training, policy development, marketing and other operational aspects of the business

 Id.

2.26

Compliance Officer reporting structure and oversight to ensure direct access to C suite and board

·         Document review ‐ Look at organizational chart and conduct interviews.

Id.

·         Review board minutes and documentation that there are regular meetings with CEO and or appropriate parties.

Responsibility of Executive Team.

·         Ensure compliance officer has authority and is comfortable to go to board.

Responsibility of Executive Team.

2.27

Compliance officer’s independence/objectivity

·         Review compliance officer’s job description. Does s/he report directly to CEO, board (not CFO or Legal)? Conduct interviews, focused groups, audit.

See Executive Team governance committee.

·         Seating location of compliance with the business, senior teams are together, and dotted line on org chart

Id.

·         Interview compliance officer to see if they feel they have independence, do they document disagreements, is there executive session for audit committee.

Id.

·         Interview the board, review minutes, and interview the CCO

Responsibility of Executive Team.

·         Review of written organizational structure

Id.

·         Verify the Compliance Officer has the independent authority to retain outside legal counsel

Id.

·         Review if there is screening of compliance officer material to the Board of Directors

Id.

·         Regular executive session of the Compliance Officer with the Audit and Compliance Committee of the Board

Id.

2.28

Credibility of compliance officer

Job Description review, ongoing training of compliance officer, basic competencies, certifications, reporting structure

 Id. See our certification program.

2.29

How much authority does the compliance officer have to start a working group to look at changes?

·         Have needed changes been made, and if not, why not?

See Executive Team governance committee.

·         What authority does the compliance officer have and how does he or she exercise it?

Id.

·         Where is the compliance team with regards to identifying working groups to help attack a new compliance risk?

Id.

2.3

How supported the compliance officer feels

·         Interview compliance officer;

Id.

·         Documentation review.

Id.

2.31

Organizational perception of compliance officer and corporate compliance program

Survey employees regarding:

·         Their perception of the compliance officer role.

Id.

·           Whether they know who the compliance team is, how to get to them and, what to tell them.

Id.

·           Is the compliance staff approachable?

Id.

·         Are the compliance staff solution facilitators or looked at as the organizational police force?

Id.

2.32

Compliance problem solving and adequacy of process

Process review

Id. See also Breach Notification methodology; policies.

Staffing:

2.33

Adequacy of staffing and resources

·         FTEs assigned to compliance function

Responsibility of Executive Team.

·         Review compliance matters and if they have been addressed timely.

Id.

·         Review and ensure policies and procedures are implemented and being followed.

Id.

·         Review documentation of reports to committee(s) and board.

Id.

·         Assess status of work plan and any delays.

Id.

·         Ensure documentation of risk assessment.

Id.

·         Review documentation regarding discussions at board level regarding budget.

Id.

·         Review benchmarking data from similar entities.

Id.

2.34

Assurance of staffing

Review qualifications of staff; ratio of compliance staff to business, compensation to the business

Id.

2.35

Adequacy of compliance staff based on risk assessment

Risk assessment considers the number and competency of staff required to address risk

Id. See also certification program available to all compliance staff.

Compliance Plan:

2.36

Compliance plan assessments

·        Document review, including compliance plan and policies.

See self-audits.

·        Is there an external review conducted periodically?

Id. External review recommended periodically.

·        What is the role of internal audit with regarding to compliance?

Role is to ensure that policies, processes and tracking mechanisms are being followed for each requirement of the Rules.

·        How does internal audit interact with compliance?

The Executive Team nominate the personnel to conduct self-audits. Includes Workforce members from various functional areas.

·        Benchmark program with similar sizes within the same industry

None.

2.37

Compliance plan process

Audit process for development of the annual compliance plan.

See self-audits.

2.38

Compliance organization

Assess the positioning and effectiveness of the compliance organization staff, titles, organizational chart, pay, promotion records compared to other areas within the organization

Id.

2.39

Document that establishes the authority of the program

Document review, meeting minutes for approval.

 Id.

2.4

Perception of compliance program

Survey employees

 Id.

Culture:

2.41

Accountability

SURVEY ‐ Does the compliance department have an impact on how you do your job? (Yes/No/Don't know)

 Id.

2.42

Accuracy and Trust in Monitoring

SURVEY: Do you believe the information from your department is reported with a high degree of integrity and accuracy? (Yes/ No/Don’t know)

2.43

Culture

Conduct cultural survey (interviews, confidential surveys, focus groups, etc.) and report findings to compliance committee and board. Review minutes to ensure report out and action plan established.

 Id.

2.44

Effectiveness of compliance program in the field

Survey of field compliance people

 Id.

2.45

What is company doing to drive compliance culture?

Surveys:

Id.

·         What does company incentivize?

Id.

·         What does the company promote and look down on?

Id.

·         Is compliance program tied to mission, vision, values?

Id. See also Executive Team governance committee.

2.46

Employee comments from “Rounding”

Audit the tracking of what employees report when proactively asked by compliance department (or leadership, etc.) and how this information is managed and reported.

Id.

2.47

Measuring effectiveness of executive communication on compliance

Track on‐line engagement (clicks) and survey audience

Id.

Incentives:

2.48

Aligning performance management system (promotion system) with ethics and compliance objectives

Audit criteria of promotion, bonuses and assignments

Id.

2.49

Compliance and Ethics Role/participation for developing the incentive system

Have an outside independent expert audit the incentive system and compliance officer's participation

 None.

2.5

Is incentive system consistent with compliance program

Employee Survey

 None.

Performance Evaluations:

2.51

Proper alignment of compliance objectives with organizational performance incentives (promotions/performance appraisals/bonuses)

·      Audit disciplinary records and performance evaluations for consistency with compliance

See self-audits.

·      Audit/Review of process for performance incentives (promotions/performance appraisals/bonuses) criteria to include compliance components

Id.

2.52

“Compliance” as a performance appraisal element

·         Audit performance appraisals. Some options include:                                                      o Acknowledgment of no disciplinary action                                                              o Education completion                                         o    Documentation of promotion of compliance

·         Are merit increases tied to performance?

Id.

·         Does completion of compliance education, promotion of compliance through words, actions or no documented disciplinary action and/or, completion of corrective action plans within the due dates play a role into the calculation of merit increase?

Id.

·         Compliance is part of the annual performance evaluation and HR knows how to evaluate issues for compliance

Id. See also

2.53

Manager performance evaluations

Managers have open door policy, communicate compliance directives/initiatives, address compliance matters and effectiveness is noted in performance evaluation.

See Executive Team governance committee.

2.54

Is compliance taken into account in promotion decisions?

Review promotion lists and documentation to support promotion. Did the individual actively promote compliance?

Id.

2.55

Organizational Retaliation

Track whistleblower promotion, bonuses, sick days, disciplinary, corrective action measures and exit interview over long term

 Id.

Risk Assessments:

2.56

Compliance Resource knowledge and competence

Survey, focus groups and interviews

Expresso also for Risk Assessment to be conducted as needed. Historical Risk Assessments can be accessed for reporting purposes.

2.57

Compliance staff knowledge of current regulatory changes and laws

Document review and interviews. Review certificates of attendance at conferences/other educational events, “tools” used to keep compliance staff current, compliance budget (to support access to current regulatory changes and laws).

See certification program available to all staff.

2.58

Monitoring of regulations that impact the organization

Document and process review, interviews.

See self-audits.

·         Is there a policy and procedure?

Id.

·         Is there evidence that regulations, etc. are disseminated and implemented?

Id. Signatures required for all policies by all Workforce members.

·         Are there designated individual(s) that monitor laws, regulations, policies that impact organization?

There is the responsibility of the CO.

·         How do they get the information and what do they do with it to make sure it gets to the right people?

Certification through training. Monthly newsletters, webinars, etc.

2.59

Risk Assessment Cycle

·        Audit adherence to risk assessment cycle

Expresso™

·        Annual documented risk assessment has been communicated to oversight committee

Id.

2.6

Risk based work plan that covers compliance plan elements with board approval and regular reporting on those projects to board

Compliance Committee and board minutes review.

See Executive Team governance committee.

2.61

Work plan development based on risk assessment

Process and document review.

 Id.

2.62

Prioritization of risk and consultation with applicable risk partners (i.e., legal, HR, IT, risk management, etc.)

Documentation and process review. Is there a risk based plan?  How was it developed?

 Id.

2.63

Exit interview

Compliance concerns that come up in exit interviews are addressed

 Id.

Compliance Work Plan:

2.64

Compliance work plan

Audit to ensure the work plan is developed and implemented and it is followed‐through and outcomes are reported to compliance committee or to governing body

 Id.

2.65

Effectiveness of compliance program

Written annual work plan that includes minutes

Id. Based in part on last Expresso™ Risk Assessment.

Legal Counsel's Role:

2.66

Role of counsel in compliance process

Interview counsel regarding their involvement.

 See self-audits. Monthly newsletters, webinars, etc.

·         When they are brought into matters?

As required.

·         Where is counsel situated in relation to compliance officer on organizational chart?

N/A

2.67

Existence and adherence to policy on involvement of legal in handling matters under privilege

Review policy and sample areas that were referred to legal followed the policy

As required.

Other:

2.68

Job descriptions of management

Review of management job descriptions. Do managers have concrete compliance deliverables other than training and abiding by Code of Conduct?

 See Executive Team governance committee.