We sat down with Clive Wilby, Compliance Officer at Alabama Cancer Care, to discuss how they transformed their healthcare compliance program 96% completion using The Guard by Compliancy Group.
The Starting Point
Q: What was the compliance situation like when you first joined Alabama Cancer Care?
Clive: To be honest with you, it was inadequate. I joined around 2021-22, and I asked the group for their latest risk assessment. This consisted of a dated spreadsheet with high-level questions, not sufficiently detailed for an in-depth evaluation. After some discussion, it was agreed that we would start from scratch
Q: Were tasks falling through the cracks with those manual processes?
Clive: Oh, undoubtedly. There’s not a program there because we didn’t have a compliance officer, which is a requirement, and then the risk analysis that was done was very high level. There was no breakdown of tasks or any responsibilities that were assigned to anybody. So, the decision to start over was the right one.
Choosing The Guard
Q: In your evaluation of a new solution, what stood out about The Guard?
Clive: Well, starting off with the risk assessment – it’s very, very detailed. What I like is not only does it detail in a language that you can read and it’s not regulatory gobbledygook. They’ve translated that into something that you can use and you can understand. And then at the same time they actually post the codes to which that issue applies, that you can reference back to the source.
In the new version, when you go into that specific control, it also provides you with possible tasks that should spin off of that control point. So not only do you understand it now, but you’ve also got the types of tasks that you need to assign or work through in order to comply.
Q: How does the continuous monitoring aspect work?
Clive: At some point in time – whether it’s annual, half-yearly, or quarterly – it’ll throw up that control point and you have to refresh it. So that means you have to go back and re-look at the point in terms of where you are at that point in time. So you just can’t miss anything, and it repeats based on the assigned review calendar.
I know daily I’ll open up and it’ll say “these tasks are past due.” I feel confident that I’m not missing anything. Whereas without it, I really would have no clue. I’d have to go through a spreadsheet, look at it, try and remember what I said last time. Now, I’ve got a complete audit trail of what I’m doing, what’s outstanding, and what needs to be done.
Impact on Team Workflow
Q: How has the platform impacted your team’s workflow, especially with training?
Clive: I would say the workforce really isn’t even aware of the work that’s going on in the background. They’re aware that there’s The Guard and they go into it and they do their training tasks within the first week of employment, but it’s totally unobtrusive and doesn’t distract them from their day-to-day activity.
These nurses really work so hard, and they have so many patients to see in a day that any additional bureaucracy on top of their workload would be totally untenable. They really are maxed out. So all of this stuff’s happening in the background, and I only actually ping them on issues that are really important at that point in time.
Q: How do you manage compliance across 19 different locations?
Clive: I’ve got what I call an OSHA HIPAA coordinator in each of our 19 facilities and they’re really my prime contact. If I have any tasks that need to be performed at that facility, I ask them to do it, and provide them with any required support
These folks are nurse practitioners, MAs, people of that sort. So they’re not really OSHA coordinators in the true sense, but they’re there as my ears and eyes on what’s going on. Are we actually following the things that we need to be doing? All of those administrative tasks they conduct on my behalf, and then the management of it obviously falls on me.
Training and Policy Management
Q: Have you seen an impact in terms of policy adoption and training completion?
Clive: Absolutely. As soon as an employee is employed, we register them in The Guard immediately. All the training is already pre-assigned. It’s assigned on day one basically. They get into their own portal, they do their training, and The Guard provides me with a window on what they’re doing. Are they progressing? Have they started it? Have they completed it? Or is it in progress?
I know at any point in time who’s defaulting and I then generate a report out of The Guard and send it to HR and say, “Hey, you really need to get on these people because they’re out of compliance.” Our HR manager walks all over them and I can see the numbers clicking up in The Guard.
It is so granular that I can say, “Well, okay, out of the seven training elements that you’ve been given, you’ve only done one.” Just imagine trying to maintain whether people are doing their training in any other way – whether it’s been assigned or not assigned. All happens under the hood.
Risk Assessment Deep Dive
Q: You’ve mentioned that risk assessment was a game-changer. Can you walk us through how The Guard supported you?
Clive: It’s split up – there’s privacy, breach, security, and then workplace safety risk assessments. What’s great is you go in and you’ve got all the guidance that The Guard provides you. Someone has really thought out how to articulate in writing what the essence is, what you’re looking for.
You can select and say, “Look, I’ve either met it, or met it partially, or not at all. And you have to justify your response against each control. I can put documents, policies, procedures, or reference standards against each control, by way of justification. You can do this all within the GUARD without having to reference any other tool or application.”
The policy documents which you can add – the amount of IP that Compliancy Group must have in terms of the knowledge base is amazing. They’re very easy to follow. You can call up the policy, edit it within The Guard very simply and make it really pertinent to your work area.
Q: How do you track your overall compliance status?
Clive: You’ve got the dashboard which gives you an overall view of where you stand in terms of compliance. I think mine stands at 96%, which quite frankly surprised me, but I was very impressed. Obviously, it’s that 4% that bites you in the rear, so I’m really concerned about getting as close to 100% as possible.
Executive Reporting and Buy-in
Q: When speaking with the board, do you use the reporting features?
Clive: I do use the reporting, and I sometimes drill down on the high-priority items – the things that I need management to address because it’s funding or something of that nature.
I’ll give you an example. The figure was around 85%, and the big thing was a hole in our security program in the sense that we hadn’t done a penetration test. I was able to use The Guard to say, “Hey guys, penetration tests are expensive, but we need to do one annually and we need to do one now because it’s a big hole in our safety program.” I threw up The Guard, showed them the four control points that the penetration test was really hampering our progress, and the CEO said, “Look, I don’t even know why we’re discussing it. Get it done.”
Q: How has this affected your CEO’s confidence in compliance?
Clive: His general comment to me is, “Clive, I have no worries about compliance. You guys have got it under control. I can see it, you show it to me, I can sleep really well at night knowing that you guys have done the very best you can do to keep us safe from non-compliance issues with either OSHA or HIPAA.”
Customer Support Experience
Q: Can you tell us about your experience working with the support team?
Clive: To be honest with you, they’re phenomenal. You ask a question and it gets logged and invariably most of my questions are answered within an hour. Sometimes I’m asking for something a bit more complex, and I think I may have waited a day for the most complex questions I’ve asked. So it’s immediate response number one, and number two, they’re very helpful.
I’ll give you an example. I had the asset register and the mapping that The Guard used versus a mapping that our IT guys used was different. I asked through support if there was any way I could do this differently, and they came back and said, “Yeah, of course you can store it as a file and reference it, but hey, send it to us and we’ll do the mapping for you through the back end,” and they just did it. People are really helpful – I can’t speak highly enough about the support.
The Bottom Line
Q: If someone asked you why they should use Compliancy Group, what would you tell them?
Clive: I think I’d probably say you’re stupid not to, but I couldn’t say that obviously. One of the things is they are obviously very knowledgeable people who understand what goes on. Compliancy will actually provide you with the reports and support documentation that you need if you do have an audit.
I gain confidence from the fact that if I’m doing something stupid, they will come back to me and say, “Hey, you can’t do that.” With the changing regulations, I know that you guys update your policies and procedures, and training to stay current with HIPAA and OSHA. For me to try and do that, it’s impossible. I subscribe to all the list serves, but I don’t know when a rule has been promulgated, whereas for you guys, that is your business.
If you want to do this properly and you want to stay safe and in compliance, go with The Guard.
Q: How would you quantify ROI from using The Guard?
Clive: Return on investment – that is so hard to do. I think it’s an insurance policy, so the ROI depends on not defaulting. If you have a major incident, it can close a business down, so the ROI is very much contingent on you not defaulting. A serious non-compliance can cost you dearly, so being an insurance policy, it’s invaluable really.
In terms of efficiency, look at the resource you would need to try and stay in compliance without something like The Guard – it would be impossible. For me, they’re really paying for just me and some support from my OSHA HIPAA coordinators, and we have a program across 19 sites and 350 personnel. I think there are major savings just in that component, apart from the security of knowing that you comply and you’re not going to get a major fine.
