Culture of Compliance, GRC

Proactive management of your governance, risk and compliance (GRC) program requires you to support a complete culture of compliance across your entire enterprise.

The impact of the regulatory compliance environment on health care organizations is more than administrative or operational.

The primary mission of every health care organization is to provide high-quality, cost-effective services to patients, families, members, clinicians, and communities. Because the majority of organizations operate with high integrity in accomplishing this mission, they may view regulatory compliance as a necessary evil imposed on them by federal and state government—a burden they must bear in order to protect the world against a few bad apples. The stresses imposed by the current regulatory environment promote a comply-or-see-yourselves-on-the-evening-news mentality and fuel resentment among many senior leaders who regard compliance as an obligation rather than a valuable asset.

Nevertheless, the OIG and the Department of Justice expect health care organizations to maintain compliance programs, reinforcing that goal with strong federal sentencing guidelines. The quality of an organization’s compliance program can make the difference between a mistake and reckless disregard, which can invite massive fines and even criminal prosecution. With the Medicare and Medicaid programs in difficult financial straits, governmental scrutiny will not abate. Whether or not such scrutiny is justifiable, it is here to stay, and there simply is no hiding from it.

Regulatory compliance has evolved beyond an administrative function to a necessary strategic enterprise-wide initiative.

Compliance programs in health care have evolved in response to developments in the OIG’s Compliance Program Guidance, federal sentencing guidelines, and certain financial-control elements of the Sarbanes-Oxley Act. Beyond the seven elements of oversight, written standards of conduct/policies/procedures, education/training, auditing/monitoring, a communication process, a disciplinary process, and a process for responding to detected offenses, federal sentencing guidelines now recommend implementation of annual risk assessments that cover all areas of the organization. All this, in combination with the thousands of new regulations issued each year, means that without extraordinarily effective tools, there is no way even a large compliance team can focus on effecting change, conducting oversight activities, and keeping up to date.

But arming compliance departments may not be enough. The increased information security burden placed on your enterprise by the necessary availability of patient data, the unavoidable issue of BYOD, and the increased enforcement of HIPAA violations involves your IT and IS department. New legislative emphasis on quality of care involves your Patient Safety & Quality department. Your need to protect against financial, operational and reputational risk across your enterprise has elevated compliance beyond the job of just one person or department to a top-down, governance-based approach that needs to be instilled throughout the enterprise as a culture of compliance.

While you can’t place a dollar amount on staying out of jail, you can clearly define the value of an effective compliance program.

The success of that program depends on your ability to manage risk and maintain an enterprise-wide culture of compliance in the face of constant change. Without clear, real-time visibility into the risk and compliance stance of your organization, you are making decisions based on incomplete or inaccurate information. If you are to be held responsible for the activities within your enterprise, you should have the insight you need to proactively manage against your regulatory stance.