- What is a compliance policy?
- What compliance monitoring means
- The importance of compliance monitoring
- What a compliance monitoring plan should look like
- Compliance monitoring systems
A compliance policy, whether it's for healthcare, corporations, or manufacturers, is designed to help those organizations function to the best of their abilities. These are written standards of conduct and performance that help each employee understand their role within the organization and the duties they're expected to perform.
So how do you measure the effectiveness of your compliance policy and the employees who are performing under its metrics? How do you ensure the policy is up to date and that you're meeting those standards?
This is what a compliance monitoring program does. Having one helps the overall effectiveness of your accreditation, your policy manual, and your training program. A compliance monitoring program helps you ensure compliance with all the policies and procedures that govern your organization.
In this article, we'll discuss what a compliance policy is, as well as compliance monitoring, the importance of it, and what a compliance monitoring plan should look like.
What is a compliance policy?
Also called a compliance program, a compliance policy is a set of guidelines and procedures used to maintain organization-wide adherence to laws, regulations, industry standards, and other rules.
The Health & Human Services (HHS) Office of Inspector General (OIG) has issued a number of compliance program guidance documents, with their original compliance program being first published in 1998. They said a compliance policy should include these seven elements (summarized here):
- The development and distribution of written standards of conduct, as well as written policies and procedures that promote the hospital’s commitment to compliance and that address specific areas of potential fraud.
- The designation of a chief compliance officer and a corporate compliance committee responsible for operating and monitoring the compliance program. The CCO and committee should report directly to the CEO and the governing body.
- Development of regular, effective education and training programs for all affected employees.
- A process to receive complaints and procedures to protect the anonymity of complainants and protect whistleblowers from retaliation.
- A system to respond to allegations of improper/ illegal activities and enforcement of appropriate disciplinary action against employees who have violated compliance policies, statutes, regulations, or federal requirements.
- Using audits and other methods to monitor compliance and reduce identified problem areas.
- The investigation and remediation of identified systemic problems and policies to deal with terminated and disciplined employees.
(Later supplemental compliance program guidance documents have also been issued.)
Similarly, in the corporate world, corporate compliance means having policies and procedures that prevent the violations of certain laws, regulations, ethical standards, and other rules. There are internal controls to prevent all this from happening and use legal risk management efforts to avoid the possibility of violating those policies.
In fact, if we hadn't said the OIG's compliance policy was strictly for the HHS, you could almost think it could apply to corporations as well.
The guiding principles of corporate compliance
Each of the policies within the compliance program should describe the general guiding principles and detail the importance of the rules. Procedures should list out the steps and methods a person should perform to achieve the desired outcome.
Organizations that don't create their compliance program or provide the necessary training, especially on federally-mandated regulations like HIPAA or best practices for patient care, can see a myriad of federal fines, expensive lawsuits, droppage from Medicare and Medicaid coverage, and even the loss of their accreditation and liability insurance.
To protect itself, a healthcare facility or hospital should have a compliance policy that contains hundreds of individual policies, procedures, and rules that dictate how employees should function, provide care, and meet mandated standards.
Healthcare compliance should cover numerous functions and areas, including patient care, patient privacy and HIPAA, cybersecurity, billing and reimbursement, medication dispensing, OSHA, and any number of other functions. Not only will a hospital or healthcare facility have an overall policy manual, but different departments and jobs may have their own policy manuals.
Corporate compliance should cover functions like insider trading, market abuse, money laundering, fraud, financing of terrorism, and other crimes.
How do you ensure compliance with policies and procedures?
The best way to ensure your staff is complying with these policies and procedures is through compliance monitoring systems. Monitoring – and auditing – compliance can help a healthcare organization ensure they are following the program's various policies and procedures.
Depending on the size of the organization, there could be a single person responsible for compliance in a small medical practice or a full compliance team or department for a large hospital network.
Compliance monitoring meaning
Compliance monitoring is a continuous process to ensure that affected staff is following all policies and procedures in the manual. Its purpose is to spot compliance risk issues in an organization's operations or function.
Compliance monitoring is less structured than compliance auditing, which is a formal process that usually happens yearly, and is often done by a third-party independent of the organization it's auditing. Monitoring happens from within the organization and usually falls to the chief compliance officer and the compliance committee.
Importance of compliance monitoring
The primary benefit of healthcare compliance monitoring is to improve the level of patient care. Patients benefit when hospitals have a policy and procedure manual, maintain accreditation, and use compliance monitoring to ensure they're following the manual and accreditation requirements. This ensures they're making medical decisions based on the latest scientific information, medical technology, and best practices.
But almost as importantly, compliance monitoring can help hospitals and healthcare professionals reduce the risk of liability lawsuits and settlements. It can also reduce the risk of losing their liability insurance coverage. And it can help them avoid expensive fines from the HHS for HIPAA violations and data breaches.
Compliance monitoring also helps healthcare organizations identify problems and find solutions before a government agency finds them. By regularly monitoring and auditing your compliance policies, you can spot errors and problems that require additional training and professional development.
On the corporate side, corporate compliance helps build the trust of the consumers, helps put them at ease, and keeps them using the banking and financial services that drive our economy. It also helps avoid damaging your institution's reputation, costly penalties and lawsuits, and government sanctions and fines.
Auditing internal processes
Although the OIG didn't differentiate between monitoring and auditing in its original 1998 document, there is a difference between the two. As we said above, monitoring is an internal process performed by the chief compliance officer and the corporate compliance committee.
Auditing, on the other hand, is performed by an independent third party, such as an accreditation agency. The Joint Commission and the Accreditation Association for Ambulatory Health Care (AAAHC) are just two of several accrediting agencies that can audit a hospital's internal processes.
(In the corporate world, corporations will often hire independent firms to perform their audits before their errors and misdeeds are found by groups like FINRA or the Federal Trade Commission.)
Since this is part of the healthcare accreditation requirement, representatives from the accrediting agency will descend on the organization (often unannounced), look over their policies and procedures manual, supervise doctors and nurses, and then ask for proof of compliance. This includes whether all staff have read the existing policies and new policy updates, received the appropriate training, been tested on their knowledge, and signed off on completion of all of these tasks.
It's important that the corporate compliance committee has kept track of all of this information and spent their time pushing affected staff to attend training, take assessments, and sign documents over the intervening years. While accreditation audits may only happen once every one or three years, there are so many moving parts that it's easy to lose track and miss something if you're not careful.
Proving compliance with regulations
There are several ways your organization can prove compliance with different regulations.
For one thing, doctors and nurses should be providing thorough documentation for all patient interactions. If a test is going to be ordered, the documentation should justify it so there aren't any accusations of financial fraud.
For another, because HIPAA is so important, it's critical to prove HIPAA compliance. You can do that with the right software like MedTrainer or Jotform; conduct self-assessments and document all necessary reports; or request a third-party audit from an outside auditor.
Meanwhile, corporate compliance software like CyberOne and MetricStream can help corporations with compliance issue recognition, to identify and eliminate cybersecurity risk issues, and even generate compliance scores across different processes and functions.
Conduct annual policy reviews. This means not only reviewing your general policies and procedures but also updating new policies from your accrediting agency as needed. As the members from your corporate compliance commission review the new policy updates, they can prove compliance by having the latest regulations on the books.
Finally, provide continual training to all affected staff. It's often said the best defense is a good offense. That means you can prove your compliance by showing that your staff has participated in regular, thorough training to help you meet all compliance requirements. Since training and education can already greatly reduce errors, being able to show that you have provided that training can help demonstrate your compliance.
What should a compliance monitoring plan look like?
A compliance monitoring program can measure your organization's adherence to the laws and regulations of your industry, identify compliance risks, and show where possible errors may lie.
A compliance monitoring program should also be reviewed regularly to make sure the standards are up-to-date and that the regulations have not changed.
And the program should be made up of two parts: the internal monitoring done by your corporate compliance committee and chief compliance officer, and the external annual audit by your accreditation agencies or even a third-party auditor.
A compliance monitoring program will also look different based on the industry you're in, whether it's healthcare, finance, banking, manufacturing, or even law enforcement and fire/EMS responders.
A hospital can be monitored or audited by HHS or Social Security Administration; a bank can be audited by the Securities & Exchange Commission; stockbrokers can be audited by FINRA; manufacturers may be monitored by the Environmental Protection Agency and OSHA.
Different groups can also be monitored by their accrediting body, such as the AAAHC or TJC for nursing, the Commission on Accreditation for Law Enforcement Agencies (CALEA) for police departments, and the Higher Learning Commission for colleges and universities.
Each accrediting agency will have its different policies and guidelines. Some agencies like CALEA and the healthcare agencies have different policies they require their accredited bodies to use as they've been developed and vetted based on best practices and the latest research.
An effective compliance monitoring plan will include several different elements, no matter what industry or organization is involved. While each industry will have its own particular requirements, such as HIPAA compliance for healthcare, there are certain elements that every compliance monitoring plan should have:
- An agreed-upon scope and strategy
- A schedule for regular reviewing of all policies and procedures.
- Standard tools and reporting templates
- Systems for reporting
- Training and improvement
- Consequences for failing to improve or complete training
Compliance monitoring systems
There are several moving parts to a compliance monitoring system, including policy reviews, external audits, internal monitoring, and even policy and compliance management software. Each of the following is means of monitoring compliance, and together, they form an effective, unified system.
Operational review cycles
An operational review looks at the actual operation of your organization and its performance. The policy manual may drive expected and accepted behavior, but the operational review looks at whether those standards are being met. The operational review looks at communication issues, operational procedures, HR issues, financial reviews, and anything else that can affect the organization's ability to function.
While this doesn't fall directly under the purview of compliance monitoring, many aspects of an employee's duties and functions are affected by the compliance policies. An employee's performance may be judged by what's in the policy and procedure manuals.
These reviews should at least happen during an annual or quarterly review, but it would be more helpful if you can create an ongoing measurement campaign to provide regular assessments of a person's performance on their work. In manufacturing circles, this would be something as simple as measuring the number of units produced during a worker's shift. For other organizations, this may vary in terms of duties performed and the ability to quantify their results.
Policy and procedures review cycles
Outdated policies may not comply with new laws and regulations, may not include new technology and may miss out on new philosophies and techniques. Imagine a corporate IT policy that doesn't address the use of storing documents on cloud-based servers or fails to recognize the use of available biometrics.
Depending on your organization and the size of your compliance committee, you may want to review your policies on an annual basis. Of course, you don't want to just review the entire manual once a year. Break it up into different sections and review one section per month, but review that same section at the same time each year.
You can also review your policies if there is a large-scale organizational change, changes to existing laws and regulations, or if there's an incident or policy violation.
Policy and compliance management software
Policy reviews are more easily managed when you have policy and compliance management software to help you with your monitoring and reviews.
PowerDMS is a policy and compliance management solution that can help you streamline your policy review process by creating advanced workflows, sending out automated reminders to your compliance committee, ensuring version control, mapping policies to accreditation standards, and much more. It can be used as training management software, which means you can share training content through the solution, and track signatures and testing, which is also a part of accreditation.
Software built specifically for compliance monitoring includes solutions like Onspring, Donesafe, or MasterControl Quality Excellence.
Of course, your compliance management software will depend on your industry and the needs of your organization.
Compliance monitoring is there to ensure your organization complies with the necessary rules, regulations, policies, laws, and standards that guide your organization. Without them, there are too many opportunities for malpractice and malfeasance.
When it comes to high-risk, high-trust industries related to our health and our money, people need to feel comfortable in going to their doctor and their bank. Compliance policies help put people's minds at ease, and compliance monitoring ensures that these organizations continue to observe those policies.
You can learn more about how regulatory compliance differs between industries in this article.