On January 17, 2017, HCCA-OIG and HHS recently issued new guidance regarding how to effectively comply with HIPAA and other compliance regimes. This is the second in a series of three posts that responds to how the HIPAA Survival Guide's methodology aligns with the guidance with respect to "Elements 2." The first post can be found here.
|
Element 2: Compliance Program Administration |
|||
|
What to Measure |
How to Measure |
HIPAA Survival Guide (HSG) |
|
|
Board of Directors: |
|||
|
2.1 |
Active Board of Directors |
· Review minutes of meetings where Compliance Officer reports in‐person to the Audit and Compliance Committee of the Board of Directors on a quarterly basis |
See self-audits. See Checklists. CO required to report to Executive Team on numerous topics on a periodic basis. |
|
· Conduct inventory of reports given to board and applicable committees. |
Id. |
||
|
2.2 |
· Review of training and responsibilities as reflected in meeting minutes and other documents (training materials, newsletters, etc.). Do minutes reflect board’s understanding? |
Id. |
|
|
Board understanding and oversight of their responsibilities |
· Review/audit board education – how often is it conducted? Conduct interviews to assess board understanding. |
Executive Team responsible for reporting to Board on an as needed basis; no formal process for that. |
|
|
2.3 |
Appropriate escalation to oversight body |
· Review minutes/checklist in compliance officer files |
See self-audits. |
|
2.4 |
Commitment from top |
· Review compliance program resources (budget, staff). |
Id. |
|
|
· Review documentation to ensure staff, board and management are actively involved in the program. |
Id. |
|||
|
· Conduct interviews of board, management and staff. |
Id. Interviews only go as far up as the Executive Team. |
|||
|
2.5 |
Process for escalation and accountability |
Process review (document review, interviews, etc.). Is there timely reporting and resolution of matters? |
Id. |
|
|
Compliance Budget: |
||||
|
2.6 |
Appropriate oversight of budget |
Review charter of governing body (Board) to verify it includes approval of compliance budget |
Budget approved at the level of the Executive Team. |
|
|
2.7 |
Budget is based on an assessment of risk and program improvement/effectiveness |
Is the Board’s approval of the budget based on identified risks and effectiveness evaluation/program improvement? |
Latest Risk Assessment conducted in Expresso™ serve as input to the budget process. |
|
|
2.8 |
Sufficient compliance program resources (budget, staffing) |
Review budget and staffing to ensure significant risks are managed appropriately |
Id. |
|
|
Compliance Committees: |
||||
|
2.9 |
Active involvement of compliance committee members |
Track percentage of attendance of each compliance committee member over the last year |
Executive Team owns the HCI in many substantive respects, including approving budget and resources. |
|
|
2.1 |
Assure that the compliance oversight committee goals and functions are outlined |
Review charter of committee |
No charter unless Executive Team deems it necessary to create one. |
|
|
2.11 |
Committee structure |
Review documentation of structure of committees as well as charters. Ensure no conflicting charters. |
Id. Executive Team functions as the governance committee. |
|
|
2.12 |
Compliance committee composition and attendance |
Review charter and minutes to assure attendance. |
Id. |
|
|
2.13 |
Cascade administration of compliance program throughout the organization |
Different operational areas give some certification/disclosure to the compliance office |
Feedback is sought from distinct functional groups on an as needed basis especially during the performance of self-audits. |
|
|
2.14 |
Composition of Compliance Committee |
Review organizational chart to validate correct composition |
See self-audits. |
|
|
2.15 |
Effectiveness of compliance committee meetings |
Keep executive report card by member qualitative/quantitative with indicators of contribution on topics |
Tracking of the HCI is kept is the following Scorecards: (1) Privacy Rule; (2) Security Rule; (3) Breach Notification Rule; and (4) Cloud, Social Media, and Mobile. |
|
|
2.16 |
Engagement |
In the last two years, have the compliance committee meetings been held in accordance with the charter? |
See self-audits. |
|
|
2.17 |
Engagement of Directors/Managers |
Review committee structure to evaluate how directors/managers are participating in Compliance Operational Committee(s) meeting includes agenda, minutes, attendance and reports from subcommittees |
See self-audits. See required reporting to the Executive Team. |
|
|
2.18 |
Executive Leadership engaged in Compliance Program |
Review frequency of meetings, membership, attendance, agenda and minutes over the past year of the Compliance Executive Committee to include all members of the Senior Executive team receiving information directly from the Compliance Officer |
Id. |
|
|
Accountability: |
||||
|
2.19 |
Leadership accountability |
Audit documentation and conduct interviews. Some examples might include: |
Id. |
|
|
· Employee education completion rates |
See Workforce training; |
|||
|
· Demonstration of promotion of compliance (e.g., town hall meeting presentations, newsletters, etc.) |
See self-audits. Process requires security reminders in compliance with the HIPAA Security Rule. |
|||
|
· Completion of audit or review action items within established time frame |
See self-audits. |
|||
|
2.2 |
Management accountability for compliance |
Process and document review and interviews. |
Id. |
|
|
· Is there a mapping of operational or management responsible for championing compliance? |
See Executive Team governance committee. |
|||
|
· Is there a mapping of management responsible for key areas of compliance to ensure accountability? |
Id. |
|||
|
· Does top management support the compliance team? |
Id. |
|||
|
Compliance Officer: |
||||
|
2.21 |
Competency |
· Certification (CHC, CHPC, CHRC) |
Our Subscription Plan offers a certification program based on over 200 questions corresponding to over 15 courses. |
|
|
· Annual evaluation, coaching, corrective action, professional development |
CO’s are encouraged to attend our FREE monthly webinars where review past topics and discuss either new guidance or changes in the law. |
|||
|
2.22 |
Is the compliance officer a key stakeholder in the strategic initiatives of the organization |
· Review participation of compliance officer in strategic planning process and due diligence processes. |
See self-audits. See Executive Team governance committee. |
|
|
2.23 |
Compliance department involvement in enterprise‐ wide initiatives/entities/strategies (e.g., involvement or penetration in joint venture initiatives and other organizational inventory) |
· Process review, including review of organizational chart to ensure compliance captures enterprise‐wide entities. |
Id. |
|
|
· Interviews with compliance and other committees. |
||||
|
2.24 |
Compliance independence/compliance structure |
· Does the reporting structure reflects the "express" authority required? |
Id. |
|
|
· Audit program charters (compliance program or Audit committee) |
Id. |
|||
|
2.25 |
Compliance integration |
Audit to determine the extent to which compliance officer is involved in training, policy development, marketing and other operational aspects of the business |
Id. |
|
|
2.26 |
Compliance Officer reporting structure and oversight to ensure direct access to C suite and board |
· Document review ‐ Look at organizational chart and conduct interviews. |
Id. |
|
|
· Review board minutes and documentation that there are regular meetings with CEO and or appropriate parties. |
Responsibility of Executive Team. |
|||
|
· Ensure compliance officer has authority and is comfortable to go to board. |
Responsibility of Executive Team. |
|||
|
2.27 |
Compliance officer’s independence/objectivity |
· Review compliance officer’s job description. Does s/he report directly to CEO, board (not CFO or Legal)? Conduct interviews, focused groups, audit. |
See Executive Team governance committee. |
|
|
· Seating location of compliance with the business, senior teams are together, and dotted line on org chart |
Id. |
|||
|
· Interview compliance officer to see if they feel they have independence, do they document disagreements, is there executive session for audit committee. |
Id. |
|||
|
· Interview the board, review minutes, and interview the CCO |
Responsibility of Executive Team. |
|||
|
· Review of written organizational structure |
Id. |
|||
|
· Verify the Compliance Officer has the independent authority to retain outside legal counsel |
Id. |
|||
|
· Review if there is screening of compliance officer material to the Board of Directors |
Id. |
|||
|
· Regular executive session of the Compliance Officer with the Audit and Compliance Committee of the Board |
Id. |
|
2.28 |
Credibility of compliance officer |
Job Description review, ongoing training of compliance officer, basic competencies, certifications, reporting structure |
Id. See our certification program. |
|
|
2.29 |
How much authority does the compliance officer have to start a working group to look at changes? |
· Have needed changes been made, and if not, why not? |
See Executive Team governance committee. |
|
|
· What authority does the compliance officer have and how does he or she exercise it? |
Id. |
|||
|
· Where is the compliance team with regards to identifying working groups to help attack a new compliance risk? |
Id. |
|||
|
2.3 |
How supported the compliance officer feels |
· Interview compliance officer; |
Id. |
|
|
· Documentation review. |
Id. |
|||
|
2.31 |
Organizational perception of compliance officer and corporate compliance program |
Survey employees regarding: |
||
|
· Their perception of the compliance officer role. |
Id. |
|||
|
· Whether they know who the compliance team is, how to get to them and, what to tell them. |
Id. |
|||
|
· Is the compliance staff approachable? |
Id. |
|||
|
· Are the compliance staff solution facilitators or looked at as the organizational police force? |
Id. |
|||
|
2.32 |
Compliance problem solving and adequacy of process |
Process review |
Id. See also Breach Notification methodology; policies. |
|
|
Staffing: |
||||
|
2.33 |
Adequacy of staffing and resources |
· FTEs assigned to compliance function |
Responsibility of Executive Team. |
|
|
· Review compliance matters and if they have been addressed timely. |
Id. |
|||
|
· Review and ensure policies and procedures are implemented and being followed. |
Id. |
|||
|
· Review documentation of reports to committee(s) and board. |
Id. |
|||
|
· Assess status of work plan and any delays. |
Id. |
|||
|
· Ensure documentation of risk assessment. |
Id. |
|||
|
· Review documentation regarding discussions at board level regarding budget. |
Id. |
|||
|
· Review benchmarking data from similar entities. |
Id. |
|||
|
2.34 |
Assurance of staffing |
Review qualifications of staff; ratio of compliance staff to business, compensation to the business |
Id. |
|
|
2.35 |
Adequacy of compliance staff based on risk assessment |
Risk assessment considers the number and competency of staff required to address risk |
Id. See also certification program available to all compliance staff. |
|
|
Compliance Plan: |
||||
|
2.36 |
Compliance plan assessments |
· Document review, including compliance plan and policies. |
See self-audits. |
|
|
· Is there an external review conducted periodically? |
Id. External review recommended periodically. |
|||
|
· What is the role of internal audit with regarding to compliance? |
Role is to ensure that policies, processes and tracking mechanisms are being followed for each requirement of the Rules. |
|||
|
· How does internal audit interact with compliance? |
The Executive Team nominate the personnel to conduct self-audits. Includes Workforce members from various functional areas. |
|||
|
· Benchmark program with similar sizes within the same industry |
None. |
|||
|
2.37 |
Compliance plan process |
Audit process for development of the annual compliance plan. |
See self-audits. |
|
|
2.38 |
Compliance organization |
Assess the positioning and effectiveness of the compliance organization staff, titles, organizational chart, pay, promotion records compared to other areas within the organization |
Id. |
|
|
2.39 |
Document that establishes the authority of the program |
Document review, meeting minutes for approval. |
Id. |
|
|
2.4 |
Perception of compliance program |
Survey employees |
Id. |
|
|
Culture: |
||||
|
2.41 |
Accountability |
SURVEY ‐ Does the compliance department have an impact on how you do your job? (Yes/No/Don't know) |
Id. |
|
|
2.42 |
Accuracy and Trust in Monitoring |
SURVEY: Do you believe the information from your department is reported with a high degree of integrity and accuracy? (Yes/ No/Don’t know) |
||
|
2.43 |
Culture |
Conduct cultural survey (interviews, confidential surveys, focus groups, etc.) and report findings to compliance committee and board. Review minutes to ensure report out and action plan established. |
Id. |
|
|
2.44 |
Effectiveness of compliance program in the field |
Survey of field compliance people |
Id. |
|
|
2.45 |
What is company doing to drive compliance culture? |
Surveys: |
Id. |
|
|
· What does company incentivize? |
Id. |
|||
|
· What does the company promote and look down on? |
Id. |
|||
|
· Is compliance program tied to mission, vision, values? |
Id. See also Executive Team governance committee. |
|||
|
2.46 |
Employee comments from “Rounding” |
Audit the tracking of what employees report when proactively asked by compliance department (or leadership, etc.) and how this information is managed and reported. |
Id. |
|
|
2.47 |
Measuring effectiveness of executive communication on compliance |
Track on‐line engagement (clicks) and survey audience |
Id. |
|
|
Incentives: |
||||
|
2.48 |
Aligning performance management system (promotion system) with ethics and compliance objectives |
Audit criteria of promotion, bonuses and assignments |
Id. |
|
|
2.49 |
Compliance and Ethics Role/participation for developing the incentive system |
Have an outside independent expert audit the incentive system and compliance officer's participation |
None. |
|
|
2.5 |
Is incentive system consistent with compliance program |
Employee Survey |
None. |
|
|
Performance Evaluations: |
||||
|
2.51 |
Proper alignment of compliance objectives with organizational performance incentives (promotions/performance appraisals/bonuses) |
· Audit disciplinary records and performance evaluations for consistency with compliance |
See self-audits. |
|
|
· Audit/Review of process for performance incentives (promotions/performance appraisals/bonuses) criteria to include compliance components |
Id. |
|
2.52 |
“Compliance” as a performance appraisal element |
· Audit performance appraisals. Some options include: o Acknowledgment of no disciplinary action o Education completion o Documentation of promotion of compliance |
||
|
· Are merit increases tied to performance? |
Id. |
|||
|
· Does completion of compliance education, promotion of compliance through words, actions or no documented disciplinary action and/or, completion of corrective action plans within the due dates play a role into the calculation of merit increase? |
Id. |
|||
|
· Compliance is part of the annual performance evaluation and HR knows how to evaluate issues for compliance |
Id. See also |
|||
|
2.53 |
Manager performance evaluations |
Managers have open door policy, communicate compliance directives/initiatives, address compliance matters and effectiveness is noted in performance evaluation. |
See Executive Team governance committee. |
|
|
2.54 |
Is compliance taken into account in promotion decisions? |
Review promotion lists and documentation to support promotion. Did the individual actively promote compliance? |
Id. |
|
|
2.55 |
Organizational Retaliation |
Track whistleblower promotion, bonuses, sick days, disciplinary, corrective action measures and exit interview over long term |
Id. |
|
|
Risk Assessments: |
||||
|
2.56 |
Compliance Resource knowledge and competence |
Survey, focus groups and interviews |
Expresso also for Risk Assessment to be conducted as needed. Historical Risk Assessments can be accessed for reporting purposes. |
|
|
2.57 |
Compliance staff knowledge of current regulatory changes and laws |
Document review and interviews. Review certificates of attendance at conferences/other educational events, “tools” used to keep compliance staff current, compliance budget (to support access to current regulatory changes and laws). |
See certification program available to all staff. |
|
|
2.58 |
Monitoring of regulations that impact the organization |
Document and process review, interviews. |
See self-audits. |
|
|
· Is there a policy and procedure? |
Id. |
|||
|
· Is there evidence that regulations, etc. are disseminated and implemented? |
Id. Signatures required for all policies by all Workforce members. |
|||
|
· Are there designated individual(s) that monitor laws, regulations, policies that impact organization? |
There is the responsibility of the CO. |
|||
|
· How do they get the information and what do they do with it to make sure it gets to the right people? |
Certification through training. Monthly newsletters, webinars, etc. |
|||
|
2.59 |
Risk Assessment Cycle |
· Audit adherence to risk assessment cycle |
Expresso™ |
|
|
· Annual documented risk assessment has been communicated to oversight committee |
Id. |
|||
|
2.6 |
Risk based work plan that covers compliance plan elements with board approval and regular reporting on those projects to board |
Compliance Committee and board minutes review. |
See Executive Team governance committee. |
|
|
2.61 |
Work plan development based on risk assessment |
Process and document review. |
Id. |
|
|
2.62 |
Prioritization of risk and consultation with applicable risk partners (i.e., legal, HR, IT, risk management, etc.) |
Documentation and process review. Is there a risk based plan? How was it developed? |
Id. |
|
|
2.63 |
Exit interview |
Compliance concerns that come up in exit interviews are addressed |
Id. |
|
Compliance Work Plan: |
||||
|
2.64 |
Compliance work plan |
Audit to ensure the work plan is developed and implemented and it is followed‐through and outcomes are reported to compliance committee or to governing body |
Id. |
|
|
2.65 |
Effectiveness of compliance program |
Written annual work plan that includes minutes |
Id. Based in part on last Expresso™ Risk Assessment. |
|
|
Legal Counsel's Role: |
||||
|
2.66 |
Role of counsel in compliance process |
Interview counsel regarding their involvement. |
See self-audits. Monthly newsletters, webinars, etc. |
|
|
· When they are brought into matters? |
As required. |
|||
|
· Where is counsel situated in relation to compliance officer on organizational chart? |
N/A |
|||
|
2.67 |
Existence and adherence to policy on involvement of legal in handling matters under privilege |
Review policy and sample areas that were referred to legal followed the policy |
As required. |
|
|
Other: |
||||
|
2.68 |
Job descriptions of management |
Review of management job descriptions. Do managers have concrete compliance deliverables other than training and abiding by Code of Conduct? |
See Executive Team governance committee. |
Comments