May 2018 Takeaways
Tear out this page and keep for reference, or share with a colleague. Visit hcca‑ info.org for more information.
Best practices for handling large-scale
HIPAA breaches in research
by Emmelyn Kim and Cynthia Hahn (page 24)
» Assemble a task force involving multiple stakeholders
to handle large-scale breaches.
» Plan ahead for any required notifications to required
» Develop a robust corrective and preventive action
» Prepare for Office for Civil Rights (OCR) investigations
» Continue to monitor and evaluate organizational risks.
Revised Common Rule delay:
Evaluating institutional preparednes
by Scott J. Lipkin (page 32)
» The effective date for the revised Common Rule is
» The delay provides additional time to establish new
» A robust implementation plan will ease the transition to
the new requirements.
» The implementation should include provisions for post-implementation monitoring.
» A compliance risk assessment plan should also be
Scientific research misconduct vs. fraud:
How to tell the difference
by Michael Tuteur and Torrey Young (page 41)
» The Office of Research Integrity (ORI) has a regulatory
framework for research misconduct matters.
» Following ORI regulatory requirements does not shield
research institutions from False Claims Act (FCA)
» Understanding when research misconduct creates
FCA liability is the first step in protecting a research
» Research misconduct can create FCA liability if the
misconduct results in false information submitted in
an application that was material to the government’s
decision to fund the research.
» Research institutions may need to conduct parallel
investigations to comply with ORI requirements and to
mitigate potential FCA liability.
New health system compliance focus
on tax exemption matters
by Michael W. Peregrine and
Erika Mayshar (page 46)
» The new tax bill reflects increasing Congressional
skepticism that non-profit health systems deserve the
benefits of tax-exempt status.
» The IRS’s Exempt Organizations Division appears to
be invigorated, based on recent enforcement actions
against tax-exempt hospitals.
» These developments suggest the renewed importance
of organizational compliance with tax-exemption
» Recent developments are also a reminder that
compliance programs should not be single subject in
» This is an important opportunity for compliance
professionals to team with the general counsel and the
organization’s tax advisors.
Writing specific policies for
the Seven Elements, Part 2:
Elements III through VII
by Scott Robinson (page 52)
» There is no difference bet ween what an organization
“must” do and what it “should” do in the compliance
guidance from CMS.
» The requirements for compliance programs are
deliberately vague so they can be adapted to fit various
kinds and sizes of organizations.
» You could create one all-encompassing policy for each
element, but shorter, more specific policies are easier
to read and understand.
» Policies and procedures will only be effective if every
employee receives training and the terms used are
» Policies and procedures should be reviewed
periodically and updated as necessary.
Controlled substances in
by Kelé Piper (page 59)
» Determine your institutional involvement in the use and
management of controlled substances.
» Know your baseline compliance to determine
resources needed to create an effective program to
prevent diversion of controlled substances and meet
» Write a clear policy and/or standard operating
procedure, and educate staff to enhance compliance.
» Make the process simple; standardize where possible.
» Go to the source; don’t be afraid to contact your
Privacy dashboards: Tracking and
reporting for compliant PHI disclosure
by Rita Bowen (page 62)
» Privacy dashboards improve compliance by showing
root causes, patterns, and trends.
» Centralized release of information (ROI) helps
safeguard protected health information (PHI) and
assures patient access rights.
» High-risk areas include Health Information
Management (HIM), the Emergency department,
Radiology, the business office, and physician practices.
» Compliant PHI disclosure management requires
constant analytics tracking and reporting.
» Actionable compliance data is a critical tool for value-based care.
Maintaining patient privacy during
by Terrie Estes, Peter A. Khoury, and
Kaitlin McCarthy (page 66)
» Emergency events can create risks to patient privacy.
» Various federal and state regulations outline privacy
» Recent events have brought about important HIPAA
» Penalties continue to increase; assess preparedness
» Prepare and respond to emergencies by deploying a
A different perspective of compliance
by Noah Leiden (page 72)
» Contracting with the government requires complying
with unique administrative terms and conditions not
normally found when contracting with a commercial
» Compliance may be defined differently based on the
perspective taken and specific compliance challenges
associated with the federal government’s expectations
of its contractors.
» Many of the federal government’s administrative
terms and conditions come with unique compliance
requirements and entail a level of internal controls
normally not focused on by commercial organizations.
» The administrative terms and conditions incorporated
into government contracts require an understanding
of Acquisition Regulations System ( 48 CFR), OMB
Guidance for Grants and Agreements (2 CFR),
Cost Accounting Standards, and agency-specific
» Failure to comply with the federal government’s unique
administrative terms and conditions can impact your
organization’s bottom line in the future as specific
audits may occur several years after award or contract
Evaluating your training effectiveness
by Joette P. Derricks (page 78)
» Review ways to measure compliance effectiveness
» Understand how a knowledge survey works.
» Develop metrics that support your underlying training
» Select metrics that are not counterproductive to your
» Realize that training programs may fail for various
reasons, including the underlying culture.
Coding compliance and ethics:
Make it work and be effective
by Gloryanne Bryant (page 81)
» Healthcare compliance and coding compliance are
directly linked and support each other.
» There are 11 principles that make up the foundation of
the ethical coding standards.
» Developing a coding compliance program/plan is not
just paper; it is taking action and being effective also.
» Being open and engaging, plus having transparency,
can greatly help your effectiveness and success.
» Compliance leadership should work closely with HIM
Coding leadership and use the OIG resources and
targets to help guide your efforts.