Benchmarking Your Way to Compliance [Podcast] | Healthicity

Episode 13: Benchmarking Your Way to Compliance

Share:

 

Listen to this episode on iTunes

Prepare Your Compliance Program for 2018.

This week on Compliance Conversations: I asked compliance and healthcare law expert Marcie Swenson, “What do you think the hot topics will be for 2018?” Her answers: benchmarking, data breaches and cyber security.

Organizations will be utilizing OIG guidance to create their own benchmarks and rate their own compliance program. I also asked Marcie what she hoped to see differently in 2018 and she passionately responded, “More risk assessments. To be proactive in compliance you have to perform a risk assessment.”

Tune in to this episode: Benchmarking Your Way to Compliance, for hot topic predictions and tips for 2018 including how to:

  • Use the OIG Guide to Benchmark Your Program
  • Prepare for Cyber Threats and Data Breaches
  • Utilize Risk Assessments

 

Interested in being a guest on the show? Email CJ directly here.

Subscribe to Our Podcast.

Episode Transcript

CJ: Welcome, everybody, to another episode of Compliance Conversations. I’m CJ Wolf, Healthicity's Sr. Compliance Executive and today we have a wonderful guest, Marcie Swenson. Welcome Marcie.

Marcie: Thank you.

CJ: Marcie is one of Healthicity's newest subject matter experts. She has great expertise in both healthcare compliance and some legal expertise, and we're really excited to get to know her a little bit better on today's podcast and talk a little bit about what we, crystal ball if you will, reading the tea leaves, of what compliance might hold for 2018. Really glad you’re here.

Marcie: Thank you.

CJ: So, Marcie, what we do with all of our guests is let them introduce themselves a little bit. We’d like to learn a little bit more about you. If you’d tell us more about your professional experience, your background, and some of the compliance experience you’ve had, that would be great.

Marcie: Okay. Well, I started in healthcare in 2004, and I started in the clinical side of things, which is, I guess similar to you, CJ.

CJ: Yeah, I guess we didn’t like taking care patients or something.

Marcie: I actually really loved taking care of patients, so I was a registered nurse. I worked as an EMT and nurse manager, administrator, and then I went back to law school. I went to J. Reuben Clark Law School and received my JD there, so I’m licensed to practice in Utah. And after I graduated with my JD I started working for Intermountain Health Care, which is a large western healthcare system with 22 hospitals and 200 physician’s clinics.

CJ: Thousands of employees, right?

Marcie: Thirty-nine thousand. Yeah.

CJ: Oh, my goodness. I used to work for Intermountain as well, but that was years ago. They did not have that many employees at that time.

Marcie: Yeah, so 39,000 employees. And simultaneously I was commuting to Loyola University Chicago and completed my masters of law, or LLM, in healthcare law there. So, I just did 2 more years and specialized in healthcare law.

CJ: And they have, and I’m not a lawyer, but I know a lot of people that specialize in healthcare law, that’s one of the stronger programs in the country, if I’m not mistaken.

Marcie: Yeah, it definitely is, and there are not a lot of LLM programs in just healthcare law, but they are ranked one of the top. So, it was a fabulous program. Loved it.

CJ: Let me ask you, so when you were an RN, what kind of clinical areas were you involved in?

Marcie: I worked in emergency department and then also ICU. Those were my two primary areas. While I attended law school I also continued to work as a nurse. I worked in a step-down unit, so kind of an intermediate, not quite critical care, but just below that. I worked in in a unit like that, so we still had patients on ventilators, we were doing vent weening with them, they were more long term critical patients.

CJ: Well great. Well, in your recent experience with Intermountain Healthcare’s compliance program, tell me a little bit about some of the areas that you were responsible for. You focused on, I think, rural hospitals a little bit? And what other areas?

Marcie: So, my responsibility shifted a little bit during the time I was there, but I started out, they hard just decided to hire regional compliance officers, and I was hired into one of the first regional compliance officer positions, and they really wanted to have a stronger compliance program in their rural hospitals, and kind of bring that up the Intermountain standard as far as compliance. So, I took on that role. No one had been in that position before, so it was very interesting. I was working with 7 to 9 hospital administrators that had to get familiar with me, and you have to build the confidence in them, and you have to gain their trust to even start building a better culture of compliance. So, we did that, and we also hired in compliance managers for each of those hospitals. And over subsequent years I trained them and they took over some of the initiatives that I first started.

CJ: So, were they kind of the on-site compliance contacts, if you will?

Marcie: Yeah. So, we tried to make them as much as an expert as possible, so I had a year long compliance director training that I took them through. And I developed that from my education at Loyola, so it’s, ya know, reading assignments, and lots of articles, and writing assignments, and we took them through that process to help them learn how to be a better compliance manager.

CJ: Were they full time compliance managers, or wearing a couple different hats?

Marcie: A couple of the hospitals were full time, but they most often with rural hospitals they wear multiple hats. So usually they would be over quality, risk management, and then also compliance.

CJ: Ya know I think that is also consistent with a lot of our clients within Healthicity. We have some smaller hospitals, some smaller physician’s practices. We have larger clients as well, where there is full-time people. But it’s kind of a different approach you might take with compliance when you’re wearing a different hat and the resources might not be there to have somebody full-time.

Marcie: And as you know, rural is, as far as the government is concerned, is any hospital that has less than 100 beds. So that’s a huge spread.

CJ: So not necessarily rural "out in the farm" if they have less than 100 beds they could be out in a suburb?

Marcie: Yeah, some people would say that’s a medium size hospital. They may still operate under rural additional funding, and things like that. So, it’s a really broad range. Some had full time and some wore multiple hats.

CJ: Great, that is an interesting area of compliance. Maybe we’ll have you as a guest again and we can dive a little bit more into that on another day. But today, kind of the new year, it is the new year, and we thought we’d pick your brain a little bit on what you think the new year might hold in compliance. The first question is what do you think will be some of the hot topics in 2018?

Marcie: So, I would say the hot topics are going to be benchmarking and data breaches in cyber security. So, with benchmarking, most everyone now is familiar with the guidance that the Office of Inspector General released last march. It’s called Measuring Compliance Program Effectiveness: A Resource Guide. Even though the OIG claims the guide isn’t to become benchmarks, the industry is going to utilize it that way.

CJ: That’s right, because we have not had those types of measures shared, at least published, from the OIG previously. Maybe little bits and pieces, but not such a comprehensive guide.

Marcie: This is the first time, from the OIG, we’re getting this type of information that we can even start building benchmarks. So, I think that’s going to be a big focus, and you know, based on that information, everybody’s who’s reading that knows as you start reading through this the next thing that comes to mind is, "How am I going to take this information and utilize it in my compliance program?" Because as it sits, it’s kind of a checklist, but it’s a checklist that every item doesn’t necessarily apply to every organization or every provider, and so it’s really difficult to take that information and then create something useful out of it. So, I think that’s also going to be part of the focus for 2018 and benchmarking, is using that OIG guidance and creating assessment tools and benchmarks where organizations can start benchmarking themselves against other organizations. And also, kind of rating their own program, "How do I stack up, according to this guidance that the OIG released?"

CJ: Exactly, and for those of you who might not be that familiar with it, recall that that was released, as Marcie said, in March last year at the HCCA’s Compliance Institute by the Inspector General himself. We then, at Healthicity, we did a webinar on it and kind of broke it down a little bit, so if that’s something you need to refresh your memory on, go back to our Resources page on the website and you can watch the recording on that webinar. But there is a lot of really good, the guidance is broken down by the 7 elements, so these are actual measures that the OIG is recommending. Look you can measure this when it comes to communication, you know, one of those elements, or policies and procedures, these are things that you can measure to say, eh, we’re doing not so good, or we’re doing better. Because, otherwise, a lot of people in compliance feel things are so subjective, so any time we can measure things at least a little bit, it’s still subjective a little bit, but at least there is some things we can look at.

Marcie: And I’m currently working on a tool that organizations will be able to use to measure, and it even produces a score at the end. So they can see from year to year if they are just comparing their own organization, or soon they should be able to compare peers, similar organizations.

CJ: Wouldn’t that be great. I know that this is relatively new in the compliance world, but if it could progress to a place where those types of measures are shared. You know in hospitals you get quality measures that are being shared now. People complain about some of those measures. Those measures will always be a topic of debate.

Marcie: As the should.

CJ: Exactly, but at least it’s moving us in a direction of kind of transparency, and talking about these issues.

Marcie: Yeah, Exactly. So, with compliance there is that extra little fear that "I don’t know if I really want to disclose this information about my compliance program." Or how ineffective this component of my program is, just because it does open you up to a little bit of risk. But I do think new benchmarking tools, this one that I’m working on, will help organizations feel more comfortable because of the way its equally categorized and scored among peers. So, stay tuned for that.

CJ: Yeah, great. So, kind of in that context then, if we’re trying to be proactive as compliance officers and compliance professionals, what would you say, in your opinion, what would be the single most important proactive compliance activity that should be a priority for compliance officers this year? On the proactive side, we all know we put out fires all day, and we’re doing reactive, but proactive.

Marcie: So proactive, I would definitely say risk assessments. Helping organizations I’m surprised sometimes at how little amount of focus is placed on risk assessment, and I feel like this is kind of the starting point for almost any proactive initiative, or measure, that you’re going to put together. Overall, this should be the very top priority because it’s the starting point. How can you really determine what projects to work on if you have not done a true risk assessment, and why would you waste time on certain initiatives if they’re really not, or shouldn’t be, priority initiatives? And so, you do your risk assessment, prioritize you risk, and then you can decide, "Okay, these are the things that we can work on." And when you do risk assessments you may not be able to get to every single item on there.

CJ: I’m glad you mentioned that. Because I actually, you know, because none of us have unlimited resources in compliance, and you can’t spend your entire organizations budget on every potential risk out there, you have to prioritize. I’ve always been of the mind that when I do my risk assessment I always have way more risks listed than I could possibly attack that year. And I usually report my risk assessment results to the board so they can see this is where we have resources and we can attack these areas, but everyone knows in the back of their mind there are these other areas as well, we feel they are lower risk, and less likely, but they could pop up and bite us too. That way they see that you can’t do everything, no compliance program is going to be perfect.

Marcie: So maybe when you’re done--let’s say your risk assessment had 50 assessment categories--maybe your organization really can only deal with 10, or 5 of those, but what I think it does is you’re still identifying your highest risks. So, you’re putting your resources, even if they are limited, to the most important places, and it shows that you’re making progress, and your directing resources to the appropriate risk areas.

CJ: Now when you talk about risk assessments, who else should be involved in that process? Because I think a lot of people think, "Oh, I’m the compliance officer, I’ll do the risk assessment and I’ll be done." I think that’s kind of a closed-minded way to look at it. Maybe that’s where you start, but you’re discussing these with key players, and key leadership throughout the organization, because it’s the organizations risk assessment not your personal.

Marcie: Yeah, so I should be doing a webinar on risk assessment’s coming up in the next couple months, and so that will kind of cover the basics of how to conduct a risk assessment, and it will go into that. The compliance officer, or director, already kind of knows what they think the risks are, and so the risk assessment process should involve other leaders, clinical programs, various business units within the organization, to get those individuals perspective on what risk is.

CJ: Exactly, and also kind of buy-in, because like you were saying you are going to set priorities, and that needs to be a multifaceted decision as well, not just one person saying this is what we’re going to do.

Marcie: Yeah, additional benefits of conducting a risk assessment, besides pointing you in the right direction, that’s the basis for creating your work plan or action plan for the year. And then you can show true improvement, because you’re actually mitigating the risk and you have the plan that’s showing those steps. But also, you can use your risk assessment to determine where your funds are going to be allocated. So, if your compliance program has so many dollars allocated, then you know where to contribute those. Also, maybe if you’re lacking resources, a risk assessment can be a tool shared with senior leaders to get additional resources. If you have huge risk, let’s say like I said in cyber security, and you don’t have a lot of controls in place, then you can demonstrate in your risk assessment to senior leadership that hey, we need to invest in this software, or we need to do this, or we need a larger work group, or experts in IT and IS to help us.

CJ: Exactly, and I used it that way as well, to kind of say, "Look, I’m not trying to force you to spend more money here, but it is a balancing act." It’s making those decision makers aware of what those potential risks are. And these are business decisions, oftentimes right? Can’t solve everything. So maybe shifting gears a little bit now to kind of the compliance professionals themselves. You’ve seen a lot of compliance programs, you’ve worked with a lot of people that are in the compliance profession. Do you believe there might be one common pitfall that compliance professionals are falling into, and that might be something to focus on for 2018 to improve?

Marcie: Yeah, I think that with all professions there are ruts that, no matter what kind of professional you are, there is a rut for you to fall into, and I think with compliance professionals that is making sure you are taking proactive measures and actions and not just reacting. So, it’s easy to get caught up in the day to day. You had 20 compliance reports yesterday, you’re investigating those, determining what level or risk they are, you have certain reports that are due. Ongoing monitoring that maybe needs to be kept, and suddenly all of your time is absorbed in reactive measures. And so, I think one of the hardest things is carving out time to take and create, and design, proactive measures. I would recommend doing work groups, or if you’re a larger organization so you have various levels of compliance managers, directors, officers, maybe having a round table with those individuals to determine, you know, what the initiatives are going to be. And you can utilize, again, things like your risk assessment to determine, hey what should be our initiatives for next year. Or you can even use these teams to decide what’s our compliance education going to be next year, what is the time frame we’re rolling that out on, what are the key topics we’re trying to hit. I think that those, if you have those solid meetings and committees, work groups in place it kind of keeps people working on proactive measures. But also have some goals and deadlines. Where certain initiatives must be developed by the end of the year to start being worked on for the following year.

CJ: Yeah. So what would you say is kind of a good percentage. So, if I’m your standard compliance professional, or you have a department and you have X number of hours that that department can work on. Is it 50/50, you’re doing 50% reactive, 50% proactive? Is there a good measure?

Marcie: That’s really difficult too. Of course, depending on your role as a compliance professional, would depend on how much time you spend on that.

CJ: Because some might be they are all proactive. If you’re an educator you might be doing proactive education 80% of the time.

Marcie: Or your primary job is to manage the hotline, you are kind of in the incident investigation mode all of the time which is reactive. But sometimes with your work groups, having the involvement of those people, even if the majority of their job role is reactive, having those move into a work group to make proactive suggestions is great because they are right there on the front line and they know this is an issue that is trending. Or you know, I have calls like this all the time, "Can we please have some education on this so employees know how to handle this situation?" But that will help the proactive side. So that’s really kind of a hard, the %, you’re going to have more of a split or even distribution in like a higher compliance position. Or a position with broader oversight, then I can see more of an even split in that, and that’s going to adjust from time to time.

CJ: Exactly, that’s the other thing, when you’re talking about risk assessments those will also adjust and your work plan may also adjust, you may have said it's January 1st and we had our little retreat last week and we kind of came up with what we think we’re going to work on this year, and that may be a good guide, but if next week you get a letter from the OIG saying we’re investigating X, Y, and Z, you shift priorities. And that’s okay.

Marcie: That’s why having deadlines and regular meetings is great. Because that work continues forward on the proactive side of things. Let’s say you’re in the middle of proactive measures of cyber security, which I mentioned as a hot topic for 2018, and you have a malware attack. So you go into emergency response mode, and all your time is absorbed because of the extremely high level of risk and possible sanctions and fines for something like that. At that time a compliance officer might be spending 80% of their time on that because it’s such a big issue. I do think there is kind of a shift throughout the year and depending on the organization.

CJ: You were mentioning on the proactive concept of what’s trending, how do you know what’s trending, and what are the resources you’re looking at, what are you reading, who are you listening to, to kind of find what those proactive trends are?

Marcie: I think that there are two ways as a compliance profession that you can monitor for trends. One is, and this is probably compliance professionals biggest worry, is new laws and regulations. And people are reporting on those, and then any information coming from administrative agencies, CMS, OCI, OIG.

CJ: So, you’re looking at bulletins and publications and regular releases.

Marcie: Yeah. What are they looking into, what’s their focus plan? Make sure you know what the OIG’s work plan is.

CJ: Exactly, which we just did a webinar on last month. So those types of things are really important.

Marcie: Yeah, so that’s kind of one side. So, watching all of the information outlets. And then I think on the internal side, watching for internal trends would be. You need to have a really great compliance software. You need to be watching trends within your incident reports, and being able to refer those to legal, or whatever it is, so that those trends can be tracked.

CJ: And I think an important part of that is categorizing those trends. So, it’s not just saying we have 10% more hotline calls this month, it’s being smart about how you’re reporting incidents for example, you should have topics or categories, you should maybe have HIPAA privacy, you should have HIPAA security as another topic, you should have coding and billing. If you’re a large system, you have inpatient coding and billing vs outpatient. So, there are lots of different ways to categorize these things to kind of monitor or dashboard.

Marcie: Exactly, so then you can really pinpoint where do we see trends. And then, therefore, you can make adjustments or add that to work plans and make sure the controls are put in place, or a lot of times if it is internal it is all about education. Making sure your employees or your leaders understand how to handle a certain situation.

CJ: Well, you had mentioned at the beginning as well kind of those relationships are important. So it’s one thing to have a communication avenue, like a hotline, which is great, but as time went on as I found when I was a compliance officer, as time went on, I got my best information from people that I had built relationships of trust with. Either I had delivered something to them that was useful to them, and then they would come to me after a meeting or in a hallway and that was better than trying to monitor data, because they are the front-line people.

Marcie: Yes, I think that being open to that, and really conducting yourself as a compliance professional in making sure that you’re transparent. Obviously, we’re all trying to be transparent, but even in your relationships and your lines of communication with other leaders within your organization.

CJ: Well good, Marcie, we could talk all day, and we will talk all day because you sit next to me now. I’m so grateful that you’re here! And we’re out of time for today, but any last-minute thoughts or parting comments that you’d like to put out there for good vibes for 2018?

Marcie: Well, I would say based on the topics that I talked about today, make sure if you have not conducted a risk assessment for 2018, get on that promptly, even if it’s a shorter risk assessment and not a super detailed one. At least you’re doing something. And then roll that into a work plan for the year.

CJ: Well thank you for those thoughts, and thank you all for listening, and we will talk again on our next podcast episode. Thank you.