We hear this term kicked around a lot nowadays "We need to be compliant!", but what the heck do they mean. Unfortunately you ask 4 different people you are getting 4 different answers. The irony is they probably are all correct. In today's world increasing confused and complex world of health care compliance takes many forms. You have legal compliance where you need to maintain HIPAA compliance along with Federal and State statutes. You have accreditation compliance were you need need to maintain NCQA and URAC compliance. You will also need to maintain compliance with your own internal policies and procedures. I'm going to focus a bit on internal compliance because I don't think this gets enough consideration and truthfully in the long run this will save you a lot of heart ache.
Internal Compliance to me is maintaining your internal policies and faithfully using them as your guidelines to how you do business. A simple form of compliance would be using a standard set of documents for internal and external use. It could be as complex as what your clinical guidelines are for Diabetes Care. A lot of companies don't really put much faith in documentation and established procedures. They find it time consuming and a waste of money. The fact of the matter is that the type of regulation and oversight that is present in the aviation industry is coming to health care. NCQA and URAC both expect internal policies and procedures to be present and followed, it just happen to be a lot of overlap when it comes to HIPAA. There is considerable expectation that these policies are reviewed on a annual basis. This can be hard for a lot of companies especially if the company culture doesn't support this. Also please realize that if you screw something up at the state or federal level those guys are going to ask what your internal policies are and how they are followed. Believe me you aren't going to get a good reaction if you can't prove you do what you say you do....
The next question is what should be considered for internal compliance oversight. Honestly everything should but that's completely unrealistic for most companies(Unless you are Google and have an extra 300 million to burn). What internal policies and procedures could get you into trouble?. IT policies on security, data, and usage should all be put into that bucket. You better add in all your clinical guidelines that you use also. What about contractual agreements? Yup add those in also. See how the list is growing? It's only going to get bigger with a few more minutes of thought. Let me know if there others that you think should get added to the list! Alright I think I'm going to babble a bit on who should be doing the oversight in my next post
...
Imported/Syndicated Blog Original Publish Date : Thu, May 31, 2012