The Seven Fundamental Elements of an Effective Compliance Program: How to Tell if Your Organization is Compliant
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
A few years ago The Health Care Fraud Prevention and Enforcement Action Team (HEAT) within the Office for Civil Rights (OCR) issued a series of guidelines for Covered Entities (CEs) and Business Associates (BAs) called The Seven Fundamental Elements of an Effective Compliance Program. The Seven Elements articulate the measures that OCR has deemed absolutely essential to a HIPAA compliance program that will effectively protect protected health information (PHI) and associated patient data, and ensure that federal compliance regulation is being maintained.
The 7 Elements of a Compliance Program guidelines are generally a bit broad in scope in order to accommodate the differences among organizations that are beholden to HIPAA regulation. However, just because there might be differences in the manner that a practice or organization manages their compliance, it needs to be stressed that OCR holds every CE and BA to the same standards in regards to their security, their privacy, and maintenance of their HIPAA compliance. That means that a 500-bed hospital and a single-doctor practice must have equally effective means of achieving, illustrating, and maintaining total HIPAA compliance.
Third party consultants and partial security solutions are inadequate and incomplete compliance solutions in the eyes of federal auditors for the simple reason that, by definition, they fail to address each of the Seven Elements of an effective compliance program. OCR doesn’t care if an organization has well-renowned lawyers and consultants constructing their policies and procedures if internal auditing and monitoring hasn’t even been looked at. In the event of an audit, OCR will accept nothing less than total HIPAA compliance, and you can rest assured that incomplete compliance solutions are nothing more than a pricey precursor to a visit from OCR, especially with 2016’s new round of Phase Two audits.
Compliancy Group’s cloud-based solution, The Guard, is a total HIPAA compliance solution that was built to accommodate and surpass OCR’s Seven Elements and give small- and mid-size organizations compliance with confidence. The Guard’s special focus on internal audits and monitoring allows health care professionals access to the status of their compliance on a regular basis so that they can have a hands-on relationship with their compliance–a stark contrast to the partial and consultant-based solutions that are one-time fixes to the ongoing process required for complete HIPAA compliance.