HCCA Wrap Up

By Rita Bowen, VP, Privacy, Compliance and HIM Policy for MRO
Twitter: @MROCorp

The Health Care Compliance Association’s Compliance Institute is a must-attend event for provider, hospital and health system professionals working with any form of healthcare compliance. From its opening session on Sunday, March 26th to important updates from the U.S. Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) and Office for Civil Rights (OCR), the 21st annual meeting delivered.

Top of the list for this five-time attendee included new insights regarding stage three of Phase 2 HIPAA audits, the OCR’s priorities for patients’ access to information, and strategies to build a “wildly effective” compliance program. Here are three key takeaways from this year’s event.

Third Stage of Phase 2 HIPAA Audits Ahead
The OCR continues to evaluate the results of HIPAA desk audits conducted in 2016 as part of the second stage of Phase 2 HIPAA audits. Illana Peters, senior advisor for HIPAA compliance and enforcement for the OCR, announced the third stage of Phase 2 HIPAA audits will be finalized upon conclusion of the first two stages, and should begin in late 2017 or early 2018.

Stage three of Phase 2 HIPAA audits will be focused on privacy and security quality improvement, and the new reviews are designed to identify best practices for breach prevention through education, awareness and guidance. In her presentation to Compliance Institute attendees, Peters emphasized that the HIPAA Audit Program in not intended to be punitive, nor was it ever.

Patient Access to Information Remains OCR Focus
In her closing statements, Peters reminded the HCCA audience that providing patients or personal representatives with easy, secure access to health information is an ongoing priority. From a compliance perspective, the need to encourage patient advocacy and education was emphasized, along with ensuring patients know their rights and responsibilities when requesting, receiving and sharing Protected Health Information (PHI).

Patients and hospital employees may also play a larger role in reporting privacy and security incidents, according to Peters. Her session included discussion of a failed proposal granting financial incentives to privacy and security incident whistleblowers. While this aspect of HIPAA wasn’t passed in the 2013 Omnibus Rule, it may be back on the table for review and consideration later this year.

Effective Compliance Requires C-Suite Support
Finally, compliance officers’ role as traffic cop was highlighted during an information-packed session on building a successful compliance program. Kristy Grant-Hart, owner, Spark Compliance Consulting, drove home the importance of an effective compliance decision tree when garnering executive support and reporting risk.

According to Grant-Hart, compliance officers should ask four questions when determining the level of acceptable risk and C-suite involvement in any type of compliance incident:

  • Is it legal?
  • Is it ethical?
  • Is it against organizational policy?
  • How will it impact our business?

Daniel Levinson, Inspector General, Department of HHS, also provided advice for establishing an effective compliance program. Levinson suggested the following:

  • Use a measurement effectiveness document in your compliance program
  • Review the 500 ideas provided by Corporate Integrity Agreement (CIA) survivors as published by the OIG within guidance documents
  • Consider the human factor for stronger healthcare compliance

As Levinson emphasized during his closing remarks, the best technology in the world can’t overcome human error.