Not All COVID-19 Regulations Are Created Equal

You’re struggling to keep up with all the regulatory changes that COVID-19 has created.

Many of these changes have been short and straightforward… but not all of them.

After analyzing one CMS reg (85 FR 27550), we created a 19-page policy document!

The reg’s primary purpose expanded the range of practitioners who can order — and thus be compensated by Medicare and Medicaid — home health services. It also covers a wide range of other revisions for testing, telehealth, medical equipment, and so on.

Our system broke the regulation down into its core requirements — that is, the pieces of the reg that healthcare compliance and clinical professionals need to know about. Then it was reassembled into this document and placed in an order that makes sense.

You can view the whole document by clicking this link.

Every change to a previous procedure is highlighted in red, and it includes hyperlinks to skip around.

Everything is written in clear language, so it’s easy to follow and implement.

Want us to do the same for your organization and the regulations you’re managing? Set up a quick meeting here and let’s get started.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Risk and Compliance in Healthcare Organizations: The Department of Justice’s 2020 Guidance on Corporate Compliance Programs

The Department of Justice has just issued updated Guidance on the evaluation of corporate compliance programs. This document is the latest in a series of Guidance documents (prior versions were issued in 2017 and 2019) issued by the DOJ to assist prosecutors who are investigating potential criminal acts in business organizations. What implications does this have for healthcare compliance?

When it comes to healthcare organizations, the DOJ will typically defer to the agencies with specific healthcare responsibility, such as the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services (HHS). However, the DOJ guidelines are often relied upon as a “best practice” for developing a corporate compliance program, including a healthcare compliance program. The DOJ is also likely to incorporate healthcare-specific guidelines (such as the Seven Elements of an Effective Compliance Program) along with its own Guidance documents, rather than defer entirely to another agency.

DOJ Guidance Documents Explained

Generally speaking, the DOJ issues these guidance documents in an effort to show transparency to both organizations and attorneys. The intent is essentially prophylactic — that is, here’s what we’re going to be looking for, so make sure that you’re following this; and if you aren’t, you can’t be surprised that we’re asking.

This guidance document is slightly unusual in terms of its strength and scope. It provides all federal prosecutors with a strong mandate to assess and evaluate all aspects of a compliance program, regardless of the industry or nature of the putative misconduct. In other words, as part of a broader criminal investigation, the DOJ will review a compliance program, and use this document to guide their investigation into whether that program was at a sufficiently high standard — or not.

There are three overall questions on which this Guidance is built, along with a number of more specific inquiries to guide prosecutors in determining what, if any, consequences should be applied to the organization. These could include prosecution, monetary penalties, and additional compliance obligations (such as reporting).

Question 1: Is the compliance program well-designed?

The Guidance makes specific reference to a formal risk assessment and resource allocation process. This not only means that a compliance program must start with a risk assessment, but risk assessments must be reviewed and updated periodically, and updates must be made to policies, procedures and controls as necessary, throughout the organization.

The Guidance spins out a number of other specific requirements as well, such as training and communication, and reporting and internal investigations. The punchline, though, is that everything comes out of the risk assessment. Every process and procedure that makes up the compliance program must be aligned with the risks identified by the ongoing risk assessment process.

This means that, at a bare minimum, it is essential that a good compliance program have a strong risk assessment behind it. That assessment must be revisited at regular intervals, and changes in internal controls will need to be regularly made.

Question 2: Is the program effectively implemented?

The DOJ is distinguishing here between what we could call a “real” program, as compared to a “paper” program. In other words, are there appropriate resources to make the program function the way it was designed? Does senior management buy in to the program, and endorse it at a cultural level throughout the organization?

While a risk assessment is where a compliance program begins, the Guidance makes clear that it is in ongoing management and implementation that a compliance program comes to life. Without significant time and resources invested to build the compliance program into the way the organization functions, the program is not going to be sufficient, and the organization will vulnerable to potential penalties.

Question 3: Does the program actually work?

This backward-looking question is intended to assess whether the program was well-designed and well-implemented for the particular organization within which it operates. That is, if misconduct has occurred, was this because the program wasn’t the right program for this organization? Or was the program functioning well, and the misconduct resulted from something else? (DOJ acknowledges that no compliance program will ever prevent every incident of misconduct.)

What DOJ is ultimately looking for here is whether the program changes over time, in response to changes in the organization. If there is misconduct, is it investigated? Are opportunities identified for improving the compliance program to prevent the misconduct in future? Have these remediation efforts actually been implemented? And so on.

Best Practices

Overall, the DOJ has provided a set of clear guidelines that should be used to not only develop new compliance programs, but assess existing ones. Programs which do not live up to the DOJ’s requirements on risk assessments, program implementation, and continuous improvement are more likely to be found to be inadequate. And an inadequate compliance program leaves a healthcare organization at risk.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Protecting Hospital Finances in the Post-Pandemic Environment

It’s become a cliche, especially in healthcare, to say that COVID-19 has changed “everything”. One thing that has clearly changed, however, is hospital finances.

Pandemic response stretched every healthcare system in the United States, many to the breaking point. Revenues from non-COVID procedures were significantly reduced, to the point that furloughs of vital medical staff have become necessary.

In this environment, compliance professionals have an important role to play. Ensuring that all payment compliance regulations are being followed helps to protect existing revenue streams, and helps to get the system back on a strong financial footing. As hospitals are getting “back to normal” and trying to find ways to bolster their budgets, good compliance practices are vital.

Outstanding Payments and Patient Insurance

In-hospital treatments declined during the pandemic; however, virtual health visits significantly increased. It’s crucial to continuously monitor payment compliance practices, which include patient insurance information, especially when offering this new treatment vector.

Pre-pandemic, the number of Medicare patients increased by 11 million since 2014, and at least 37 states expanded Medicare eligibility in 2019. While it’s hard to say where Medicare coverage will go as government budgets also come under pressure, these numbers could mean that some outstanding medical bills may be covered.

Historically, about 1% to 5% of self-pay accounts, or patient out of pocket costs, are written off by hospitals as bad debt. Checking and double-checking that your institution has the right information about patients, now and going forward, can be a key step in keeping the hospital financially strong.

The number of uninsured patients has continued to grow — by 12% towards the last months of 2017, and 27 million Americans have lost their employer-provided insurance during the pandemic. Overall, improving payment compliance practices in relation to insurance is an important step in effectively managing these, and other, challenges with patient payment balances.

Reducing Readmission Rates and Penalties

If your hospital serves Medicare and Medicaid patients, you probably know the high number of readmissions that occur in typical months. Readmissions that take place within 30 days of an initial visit cost hospitals a staggering $41.3 billion. In a post-COVID world, these patterns may not hold — but that could mean that readmissions are going to go up, not down.

CMS instituted several programs to try to manage these readmission challenges.

  • The Hospital Readmissions Reduction Program (HRRP): rewards hospitals for lowering readmission rates for common health conditions like heart attacks, pneumonia, COPD, and total hip and knee replacement surgery
  • The Hospital-Acquired Condition Reduction Program (HACRP): encourages a reduction in avoidable infections resulting from colon surgeries and hysterectomies, bedsores, sepsis, and even blood clots

Hospitals with, according to CMS, higher than average readmission rates face steep penalties and lower claims reimbursement. In the fiscal year 2020, pandemic notwithstanding, 83% of the 3,300 hospitals in the U.S. were projected to face penalties. And these penalties can be as high as a 3% reduction in repayment. Across the United States, CMS penalizes the worst-performing hospitals with a 1% reduction in total claim reimbursement.

As hospitals reopen and restart regular procedures and treatment, and try to rapidly scale revenue generation, more hospitals may face penalties, if compliance practices are not strong. Surprisingly, at least 12% of readmission cases of readmission cases are preventable, according to the Medicare Payment Advisory Commission (MedPAC).

Two ways hospitals can comply with CMS’ regulations and boost patient care are:

  1. Embrace a process that sends discharge summaries to the primary care physician
  2. Assign staff follow-up on post-discharge test results.

Setting up such a process can be tricky, especially in larger hospital facilities and in facilities that are still challenged in the aftermath of COVID. Medical staff need to be able to consistently and quickly assign, track, and review summaries and test results.

Monitoring each step of the process is necessary to ensure that your organization is taking the proper steps to adhere to Medicare and Medicaid requirements. That way, your hospital easily avoids significant penalties while boosting patient care. CMS also recommends that hospitals be on the lookout for hospital-related illnesses, which can derail patient care standards.

What You Can Do

Staying on top of the ever-changing world of CMS regulations isn’t easy, especially as we emerge from the pandemic crisis. But we can help by providing you with expert advice and tools that target the regulations and policies needed to run your hospital compliance program more effectively.

Our fully customizable software helps you and your revenue cycle team stay on top of every regulation, so you’ll have the best possible chance of meeting essential mandates, keeping cash flowing and avoiding penalties.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Earning the Gold Seal of Approval from the Joint Commission

Revised September 2022

Complying with the latest regulations will always be a critical priority for healthcare compliance professionals. But earning approval from The Joint Commission, the recognized global leader for health care accreditation, is growing in importance across healthcare organizations, including hospitals, physician group practices, surgery centers, and other treatment facilities. 

This accreditation, known as The Gold Seal of Approval®, acknowledges an organization’s dedication to providing quality care and services to patients. Some states require health care organizations to be accredited by the Commission in order to participate in particular insurance programs.  

If a healthcare organization is accredited by The Joint Commission, it may be deemed to exceed Centers for Medicare and Medicaid (CMS) requirements, along with state law requirements. Additionally, with the public’s attention increasingly focused on becoming informed consumers, earning accreditation also offers organizations a competitive edge.   

Meet the Joint Commission 

The Joint Commission is an independent, not-for-profit organization based in Illinois. Founded more than 65 years ago, the Commission provides an unbiased assessment of a health care organization’s quality achievements in patient care and safety. 

It offers the following accreditation programs: 

  • Ambulatory Care Accreditation 
  • Behavioral Health Care Accreditation 
  • Critical Access Hospital Accreditation 
  • Home Care Accreditation 
  • Hospital Accreditation 
  • Laboratory Services Accreditation 
  • Nursing Care Center Accreditation 
  • Office-Based Surgery Accreditation 

In addition, The Joint Commission offers 20 different certifications for a variety of clinical programs and services. 

Understand the Accreditation Process 

The Commission’s standards set expectations for an organization’s performance that are reasonable, achievable, and measurable. Its on-site surveys are rigorous and are customized for each organization and its efforts to improve patient outcomes. And the start of a survey is usually unannounced. 

During an on-site survey, Commission surveyors perform their evaluation by: 

  1. Tracing the care delivered to patients, residents, or individuals served 
  1. Reviewing the information and documentation provided by the organization 
  1. Observing and interviewing staff and, when appropriate, patients 

The Commission provides a Summary of Survey Findings Report at the conclusion of the on-site survey, with a final accreditation decision made at a later date. Surveyors could recommend: 

  1. Preliminary accreditation 
  1. Accreditation 
  1. Accreditation with follow-up survey 
  1. Preliminary denial of accreditation 
  1. Denial of accreditation 

An organization’s accreditation is continuous as long as it has a full, unannounced survey within 36 months of the previous survey and it meets all accreditation-related requirements. 

Benefits from Accreditation 

The Gold Seal of Approval is a way to let medical professionals, government regulators, and patients know that an organization stands for quality care, and that it’s always seeking ways to identify known or unknown risks to patient safety. 

For example, healthcare organizations that want to participate in Medicare have to be certified to have met specific CMS quality-related standards. If the organization is accredited by The Joint Commission, CMS will have deemed the entity to have met or exceeded these requirements. That means the organization is not subject to Medicare’s survey and certification process because it has already gone through the Commission’s survey process. 

Additionally, being Commission-accredited may allow the organization to be exempt from meeting state law survey or quality or requirements. Here you want to be sure and check your state laws to see if they exempt entities accredited by The Joint Commission. 

In what other ways can an organization benefit from Joint Commission accreditation? 

  • It can earn various Joint Commission certifications for continued improvement and maintaining performance excellence 
  • It can connect with other like-minded organizations to collaborate on issues affecting the quality and safety of patient care 
  • It can attract more qualified personnel who prefer to serve in a prestigious environment 

Earning Accreditation Means Maintaining Compliance 

Earning the Joint Commission’s Gold Seal of Approval depends on a strong culture of compliance. Organizations that are challenged to manage compliance, or effectively demonstrate compliance, are unlikely to meet the Joint Commission’s rigorous standards. (Read more about Compliance Culture on the YouCompli blog.) 

A culture of compliance is a commitment throughout all levels of an organization to do the right thing and do things right.  When an organization has a strong culture of compliance, there is a spillover effect to obtaining and maintaining Commission accreditation.  Employees see their leaders ensuring the organization is maintaining compliance with elevated standards. Additionally, they see their leaders making business decisions based on organizational policy requirements.  The end result is actions being taken that demonstrate leading by example and modeling that behavior to employees. 

The Gold Seal of Approval accreditation is an important acknowledgment of an organization’s dedication to providing quality care and services to patients. The effort to earn this accreditation is certainly significant, but the payoff in terms of reputation, recruiting and deeming status is worth the effort. Not only that, the process of earning accreditation can help you uncover opportunities to further shape your culture of compliance so that a mindset of always doing the right thing permeates all levels of your organization. All of that is good for the long-term health of your business – and your patients.  

The accreditation process requires significant metrics to demonstrate the effectiveness of your compliance program, YouCompli can help you verify that you took the proper steps to comply with the regulations that apply to you. Find out how.  


Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.


Never Miss a Compliance Related Article

How to Juggle Medicare and Medicaid Compliance in a Fluid Regulatory Landscape

Do you treat patients insured by Medicaid or Medicare at your hospital? While participation is voluntary for for-profit healthcare systems, accepting Medicaid and Medicare patients is a condition of federal tax exemption for non-profits. Currently, Medicare and Medicaid account for more than 60 percent of care provided by hospitals making it nearly impossible for healthcare systems to forgo these programs.

So, if the stark reality is that you must participate, compliance becomes an issue. And it’s complex. Especially for hospitals that have multiple outpatient locations and inpatient campuses. Under Medicare provider-based rules, it’s not possible to certify just part of the system. When you consider there’s nearly a 500-page certification process, it’s clear that it’s crucial to have effective compliance tracking.

An effective compliance program is multi-faceted and includes monitoring and auditing, legal reviews of procedures and contracts, reporting mechanisms as well as training for employees. Healthcare systems are multi-faceted too with labs, pharmacies, rehabilitation centers, clinics, surgery centers and more. Keeping on top of compliance not only to effectively report but to identify and then prevent misconduct before it balloons into a much bigger problem is anything but easy.

The Centers for Medicare & Medicaid Services has attempted to streamline information into quarterly updates for providers, suppliers and the public. While this helps curate the information and updates to regulations, management and oversight of compliance and putting these regs into practice represents an enormous task for each healthcare system. The distance between knowing and doing can be vast when providers are juggling regulations alongside providing quality patient care. Maintaining oversight of not just the Medicare and Medicaid federal regulations, but compliance with other state and local regulations is required.

The regulatory landscape continues to be muddled with additional requirements to safeguard privacy and to fight fraud and abuse today. Since governing bodies are vigilant about fighting fraud, your compliance process needs to be tight or you’ll risk criminal charges, fines and even the possibility of losing licenses. Every state has its own Medicaid Fraud Control Unit (MFCU), typically as part of the State Attorney General’s office. When your compliance tracking system is thorough, the auditing process and working with your MFCU becomes simpler.

Streamline Compliance Tracking

If your hospital is juggling Medicare and Medicaid payment compliance along with all the other mandates and reporting requirements, it can easily get overwhelming. But, it doesn’t have to be that way. Solutions such as youCompli’s compliance system monitors and translates Medicare and Medicaid regulations for easier understanding. Then, it helps you track and oversee your hospital’s compliance.

If you’re ready to take the headache out of Medicare and Medicaid compliance, it’s time to see what a compliance management system can do for you. Schedule a call today where you can see how our risk management software can support your healthcare system’s compliance program.

Worker Fatigue and the Potential Negative Impact on Compliance

When workers get fatigued, what is the impact on compliance?

We all know that, during a normal workday, workers can get fatigued. Fatigue can come from a variety of sources, including personal and professional challenges or stressors. Mental fatigue specifically occurs when there is a need to process overwhelming amounts of new data or information.

The impact and stressors of working during a pandemic can make this worse. Mental fatigue is exacerbated because there is so much new information to cull through on a daily (sometimes more frequent) basis. Combine this information overload with rapidly changing pandemic recommendations and guidelines, and it’s no wonder that workers are becoming more fatigued.

Effects of Fatigue

Memory and performance both decline when a person is mentally fatigued, which can lead to non-compliant behaviors and actions. This happens because fatigue decreases the ability to make new, short-term memories. Lack of short-term memories prevents the formation of long-term memory knowledge. And a person simply cannot recall information which has not been transferred to long-term memory. In this way, fatigue decreases the ability to recall information – whether recently learned or already known.

For example, if the organization has not previously billed for telehealth visits, a fatigued coder may not remember the education that was provided regarding telehealth documentation requirements or the codes applied to these visits. Moreover, the coder may have difficulty recalling in-person visit codes or coding modifiers. When these effects of fatigue happen, coding compliance will decrease.

Mental and physical fatigue can affect worker performance in other ways. Think about the last time you did not get a good night’s sleep. At work the next day, all you can think about is drinking more coffee or taking a nap or going to bed early that night.

Signs of this kind of fatigue include decreased awareness or a general decrease in interest with respect to work or job tasks. Other signs of fatigue include changes in judgment or decision-making. Take, for example, an employee who is usually very engaged on the job, but unexpectedly shows up late for a scheduled meeting. During the meeting, the employee is unusually quiet and provides limited feedback. If that employee’s knowledge and feedback are necessary to make a critical compliance-related decision there would be not only a negative effect on compliance, but potentially a negative effect on the entire organization.

Compliance Fatigue

There is also a form of specific compliance fatigue – where people are overwhelmed and wearied by the numerous adherence requirements in healthcare policies and procedures and rules and regulations. This combines with mental fatigue, which inhibits the ability to remember and follow these policies and procedures, which is the cornerstone of good compliance.

Employees may know and understand policies and procedures addressing HIPAA. For example, they must use encryption when emailing protected health information (PHI) or personally identifiable information (PII) or payment card information (PCI). Similarly, in the course of their work, they must exercise heightened caution before clicking on links embedded in emails. If they are experiencing fatigue, the possibility of compliance failures increases.

As physical, mental and compliance fatigue increase the potential for job related mistakes, they conversely decrease worker compliance. The overall impact of worker fatigue can have very real and negative impact on compliance ranging from simple mistakes or lapses in judgment to catastrophic errors related to breach of PHI/PII or PCI.

Practice Tips

Encourage supervisors to regularly meet with their staff to evaluate the level of information fatigue or physical fatigue. If possible, conduct education and feedback sessions to help the team talk through fatigue challenges.

Utilize resources, such as youCompli, to assist the team in staying current with healthcare compliance related changes to guidelines, regulations and laws, and managing compliance-related workflows automatically.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


LTCs Could Use Some Compliance TLC This Year

You can’t say they didn’t warn us.

For almost four years, since November 2016, the LTC Final Rule for qualifying to receive Medicare and Medicaid payments has been looming like a little dark cloud on the horizon, getting bigger and closer each year.

Now, a streamlined version of the HHS Office of Inspector General’s (OIG) recommendations and guidance have become mandatory. And the Centers for Medicare & Medicaid Services (CMS) is tasked with enforcing them. In full.

To begin with, you’ll need to have a fully detailed, written compliance and ethics program for increasing quality of care and preventing “criminal, civil, and administrative violations” and abuses. Since the OIG recommendations, which you’re familiar with, already cover such programs, that shouldn’t be a huge problem.

You’ll also need to designate your CEO, a board member, an operating division head, or, for smaller LTC facilities, a compliance officer, to be in charge of implementing every aspect of the program. Again, determining which “high-level personnel” to designate shouldn’t be a huge problem either.

Then, you’ll need to actually implement the program and document compliance.

That’s the hard part.

The program will have to include everything from pre-employment screening to person-centered care, special diets, crime and abuse prevention, and a compliance hotline that preserves whistleblowers’ anonymity and prevents retribution.

What’s more, you’ll need to break the program into specific steps and train not only each member of your full- and part-time staff, but also your contractors in the parts of the program that affect their duties.

And then you’ll need to track, audit and report on compliance, every step of the way. Are your current procedures up to the task? Is your IT?

That’s where the TLC comes in.

What if someone could monitor regulatory changes for you, and translate them from legalese into clear business requirements in everyday English?

What if they could give you policies and procedures that comply with the regulations, but that you can tailor to your own facility?

If they could tell you exactly which policies and procedures to follow, which tasks to perform, how, and by whom in your organization, and generate reports on each step towards compliance?

If they gave you the capability to track, audit and report on every step of the compliance process, at any time, with just a few mouse clicks?

Could your LTC use that kind of TLC? If so, click here to learn more.

5 Payer Audit Errors Every Hospital Must Avoid

5 payer audit errors

Revised September 2022

Most healthcare providers, from large hospitals to solo practitioners, experience an external audit at some point. The scrutiny can unveil errors and violations, which can lead to hefty penalties. 

The key to surviving an external audit, with the least amount of frustration, is to avoid these five common mistakes. 

1. Late Responses

Your deadline to submit relevant documentation begins upon receiving that external audit request. 

External audits may be requested by a commercial health insurance payer, or government agencies such as the Centers for Medicare and Medicaid Services (CMS) or Office for Civil Rights (OCR). While the origin of the audit request doesn’t matter, a timely response is essential. 

Take all deadlines seriously. If an extension is needed, ask for one, immediately. Missing deadlines can result in hefty fines and penalties. 

2. The Wrong Documentation

A common trigger for payer audits is improper or lack of necessary documentation.  As a healthcare practitioner, you must prove the medical necessity of each test or procedure used to diagnose and treat your patients. 

Here’s the tricky part. Sometimes payers and providers disagree on what tests or procedures are medically necessary.  Additionally, medically necessary guidelines change frequently. CMS provides local coverage determinations (LCDs) and national coverage determinations (NCDs) to help with your documentation. Be sure you are aware of changes to these coverage determinations.  

The best way to mitigate this problem is to educate your staff on what services the payer considers medically necessary, and what documentation is required to establish medical necessity. 

 Additionally, clearly document the need for a particular procedure to treat or diagnose a patient. Finally, when required, ensure that authorization is received from the payer before rendering services. 

3. Billing the Wrong Codes

Incorrect billing and coding practices can raise suspicion of fraud, failed claims, or delayed reimbursement, and — you guessed it — external payer audits. Providers and patients overpay a whopping $68 billion annually due to incorrect billing. 

 Coding systems developed by the American Medical Association and the Centers for Medicare and Medicaid are designed to streamline the billing process. Every medical procedure and service from ambulance rides to chemotherapy drugs to doctor visits are contained within coding systems such as the ICD-10, CPT, and HCPCS. 

Studies show 80 percent of medical bills in the U.S. contain errors. This percentage can decrease by ensuring appropriate staff stay current with billing and coding updates and communicate those changes to the right clinical and administrative staff to avoid old and outdated codes. 

4. No Self-Audit

One way to prepare for payer audits is to perform regular self-audits within your facility.  Internal audits are great for identifying and eliminating weak spots that can potentially lead to headaches down the road, like rejected claims and costly compliance failures. 

 One drawback is the strain on precious resources like time and personnel. You can get around this problem by hiring a third-party audit service. Make sure you have HIPAA-compliant Business Associate Agreements (BAA) so that you’re allowed to share your patient health information with third parties providing auditing services.  

 Another option is to use software provides 24/7 access to survey compliance data. Ideally, this software will provide automatic tracking of all documentation and decisions involved in the process of running your organization. 

 This ensures that compliance professionals can get immediate reporting on how well their team is doing, conducting audits more efficiently and effectively. It’s a time and cost-effective solution to hiring an outside third-party provider. 

5. No Legal Help

Having a healthcare attorney in your corner can mean the difference between a smooth audit experience and an audit nightmare. 

Here’s how a healthcare legal team can benefit your health practice: 

  • Work intimately with your staff to analyze any risky billing procedures. 
  • Challenge any demands from payers for overpayment. 
  • Challenge any allegations of fraudulent billing practices. 
  • Push back on any denied claims and the overuse of service claims. 

 Again, software is a useful tool to support your attorney’s work. A system that stores all compliance information, including payment practices, and has search capability will provide your legal team with the information they need to fight payer audit discrepancies when the time arrives. 

 External payer audits don’t have to be a nightmare. By being adequately prepared and vigilant, your next audit experience can be more streamlined and less stress-inducing. 

Learn More About YouCompli

The best way to prepare for a payer audit is to carefully manage changes to regulatory changes and coverage determinations. YouCompli can help you establish a scalable, repeatable process so you don’t miss a relevant change and you can equip your clinical colleagues to respond to the change. Then, when the audit does happen, you’ll have an easy way to demonstrate your work to comply with the requirements. Find out more. 


Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.


Never Miss an Article on Healthcare Compliance

Get a 15-minute strategic overview of YouCompli

Understanding and Managing the HIPAA Security Rule

Protecting the privacy of patients is of paramount concern to healthcare organizations today. Data breaches and/or hacking attempts are happening more frequently. Regulatory requirements are constantly changing. And the pace of technology innovations keeps increasing. The penalties, both financial and reputational, can be disastrous for any organization — and its compliance team — that is not prepared and in the know at all times

For example, recently a healthcare institution mailed hundreds of patient statements, containing names, account numbers and payments due, to wrong addresses. The organization believed that, for most of these statements, this was not a reportable breach, because there was no patient diagnosis, treatment information, or other medical information listed.

This was not correct. And the failure to understand the rule and its nuances resulted in a $2 million settlement.

The HIPAA Security Rule is the hedge against that kind of disaster  —  so grasping its complexity is crucial.

The regulations that comprise the Security Rule are often the most difficult to understand and implement, as every security compliance measure must be carefully monitored and reported. Not only are all healthcare organizations required to meet the standards and legal requirements in the Security Rule, there can also be implementation specifications which include provide detailed instructions and steps needed for compliance.

From an administrative perspective, HIPAA requires a documented framework of policies and procedures. These policies and procedures detail exactly what your organization does to protect key information. For example, policies can outline the requirements for training for all employees, including those who do and do not have direct access to vital patient information.

The documents that outline the policy and procedure framework must be retained for at least six years (although state requirements may mandate longer retention periods). As policies change, so must your accompanying documentation. And to further ensure your compliance, periodic reviews of policies and responses to changes in the electronic patient health information environment are also recommended.

From a security perspective, HIPAA requires a comprehensive evaluation of the security risks your organization faces, as well as the electronic health record technologies your organization uses.  This includes a combination of physical safeguards — such as IT infrastructure, computer systems and security monitoring systems — and technical safeguards — such as risk management software, healthcare management software or regulatory software. These safeguards are designed to both protect patient information and control access to it.

Fortunately, the Security Rule allows for scalability, flexibility and generalization. This means that smaller organizations are given greater latitude in comparison to larger organizations that have significantly more resources. HIPAA’s security requirements are also not linked to specific technologies or products, since both can change rapidly. Instead, requirements focus more on what needs to be done and when, and less on how it should be accomplished.

Managing the complexity of the HIPAA Security Rule can be easier. At youCompli, we help you identify, document and monitor your critical HIPAA information. We understand the time and resource constraints that compliance officers operate under — the need for quickly collecting and accessing quality data and reporting it. Our solutions enable you to remain up-to-date with healthcare regulations — what they mean and how to implement them with precision accuracy in cost-efficient and effective ways. Contact us for more information on how to approach and implement the Security Rule and remain in compliance.