This series looks at monitoring programs across industries, including the privacy consultant, healthcare, IT, finance, government and telecom.
Privacy offices across industries are looking for ways to mature their programs. One key measure of a mature program is to monitor staff to ensure compliance with policies and procedures, contractual agreements and laws and regulations.
In this installment of the series, I spoke with Danette Slevinski, vice president and corporate responsibility officer for Bon Secours Charity Health System, a system of three acute-care hospitals, two nursing homes, an assisted living facility, a home care program and a medical group. There, Slevinski administers the corporate responsibility and Health Insurance Portability and Accountability Act (HIPAA) privacy program.
Slevinski believes that developing and thoroughly documenting your monitoring program is key to a successful program. She says that when issues are identified, privacy pros should perform continuous monitoring of those issues to show improvements or help identify additional root causes that need to be addressed.
Most importantly, she says, it's key to keep leadership informed of risks and demonstrate the success of your monitoring program through longitudinal dashboards. Here's what she had to say about how to monitor a program successfully.
The Privacy Advisor: Why is developing a monitoring program important?
Slevinski: It's critical to implement and train your staff on corporate, regulatory, HIPAA Privacy and Security policies and procedures. Since the environment inside of and external to an organization is continuously changing, monitoring is essential to ensure that policies and procedures are updated as needed and followed. Staff come and go. Laws change. Electronic systems and software are updated. By having a monitoring program that you update regularly, at whatever interval works for your organization, you can ensure that internal and external changes do not result in noncompliance. Since there are so many regulations regardless of what industry you practice in, one way to make a monitoring program feasible is to identify the highest risks for noncompliance—risks most likely to cause patient or consumer harm—and over a three-year period audit those risks. Adjust policies and standards monitored annually or at the end of the monitoring cycle.
The Privacy Advisor: How should people determine what to monitor?
Slevinski: There are many ways to do this, but the key is to address your highest risks. Since risks regularly change or can be overlooked by compliance and operational staff within the organization, it is important to have a process to think about the internal and external risks that are highest. Just because an issue is of high probability to occur—because perhaps a policy or procedure is not in place to prevent it—does not automatically mean that is the highest risk. In addition to identifying the likelihood of a risk, it is also important to evaluate the impact of noncompliance.
Timing is also important. If you are reviewing compliance on a certain policy and it was just the subject of an online education program, you might want to add it to a monitoring plan for a future time period. Create a list of errors corrected within the last year based on compliance reviews and internal investigations, as well as errors identified by external audits. This list can be used in the future to monitor and make sure that management action plans were effective and withstood the test of time and turnover of staff.
The Privacy Advisor: How should they document their monitoring program and the results of any monitoring that they are performing?
Slevinski: Each compliance officer should come up with a system of documentation that meets the needs of their organization and the available resources and technology. Some compliance staff use electronic tools to document risk assessments, monitoring plans and management action plans developed to address identified risks. Others use electronic spreadsheets that are saved on share drives that can be reviewed and/or edited by the compliance team and are viewable to the compliance committee or leadership in the organization.
Results of monitoring should be presented to senior leadership, middle management and the board. Know your audience and tailor the data to meet your training or briefing objective for each audience. Within your industry, there might be governmental websites or proprietary monitoring and risk assessment tools available for download.
The Privacy Advisor: What are three key tips that you would give to someone developing a monitoring program?
- If you are new to the organization, initially assess the compliance program by reviewing all available materials, including the current monitoring plan, and conduct a risk assessment. A risk and/or compliance program assessment should be performed at the end of each monitoring program cycle or as needed to ensure that all key risks are covered.
- Then, identify the scope of your monitoring. For example, a healthcare compliance officer may have oversight over HIPAA privacy, HIPAA security, revenue cycle and contracting. There might be a revenue cycle, legal, audit or contract compliance monitoring plan being handled within various departments. What is the scope of the work that you need to cover with the resources available to you?
- Get the right people involved. Operational leaders are often overlooked allies. Inevitably, they are key stakeholders in any monitoring plan. A well-targeted monitoring plan maximizes value (compliance issues avoided with an efficient use of staff to conduct monitoring).
The Privacy Advisor: What are pitfalls to watch out for and how should those be addressed?
Slevinski: Resources in staffing, software, training and external consulting are generally hard to come by. The regulatory environment continues to increase in stringency. Make sure to keep leadership briefed on the cost of noncompliance, the monitoring program “wins” and relevant dashboard data to ensure that they are aware of the value of an effective monitoring program.
Changes in the law can require a compliance officer to quickly shift gears, and overlooking a legal change can result in serious ramifications. Join list serves for organizations that keep you and your team updated on regulatory changes and ensure that a compliance team member is charged with monitoring them. If technology changes and you haven’t kept up, your organization is open to risk. Consider the texting and emailing of unencrypted, unsecured patient information or financial data. Keep abreast of new technologies. Also, consider whether your vendor partners are carrying sufficient insurance to cover breaches or other errors.
Miss part one of this series? Find it here.
If you want to comment on this post, you need to login.