Photo credit: Depositphotos
Compliance officers must become digitally savvy to remain relevant and help their organizations respond strategically to regulations that span the industry’s ecosystem
By Gary Meyer
Healthcare compliance organizations have traditionally been focused on human behaviors inside the walls of a single organization. That’s rapidly changing with the advent of the Interoperability and Patient Access Rule and the Transparency in Coverage rule. The scope of concern of regulatory compliance professionals now must cover how a healthcare organization interacts with other entities, members, providers and patients in the industry ecosystem. New regulations are increasingly concerned with technology compliance and can reshape business and operations models. Compliance officers who help their organizations respond effectively to these forces will remain valued, relevant resources. Achieving that position requires them to build new skills and actively participate in developing strategies that deliver compliance alongside new business capabilities.
Trending: Ecosystem-wide, technology-centered health compliance
The traditional healthcare compliance executive is well-schooled in the Health Insurance Portability and Accountability Act (HIPAA), the Affordable Care Act, Stark laws, corporate integrity agreements and more. In our experience, they are less well-versed in the digital topics trends and technologies that inform the interoperability and transparency regulations. These include the following:
- Ecosystem-driven compliance. Compliance activities, such as training personnel to follow HIPAA privacy procedures, typically have focused on internal users and procedures. When other parties are involved, such as the Centers for Medicare & Medicaid Services (CMS) or provider organizations, all are bound by similar ethics and many of the same regulations.
Now personal health information (PHI) may now be shared by and among multiple external parties, some of which may be outside the healthcare industry. To take one example, the interoperability rules allow a patient to designate someone as his “personal representative.” This representative may authorize a payer to allow a third party, such as an app or a non-traditional health provider, to access the patient’s data. Compliance officers must understand this new realization of a member right and its related identity management, documentation, expiration/revocation and auditability requirements, all of which must be carried out even when the personal representative is not a plan member.
- Increased technical complexity. Tracking and managing this third-party data access and use require modern digital technologies many compliance officers have not previously monitored. Many of healthcare’s current electronic transactions are relatively simple from a technology perspective. Many are one-to-one transactions, such as sending an eligibility file to the Centers for Medicare & Medicaid Systems (CMS) or receiving the EDI 837 Healthcare Claims Transaction Set, a long-established standard, from a provider.
By contrast, complying with price transparency and interoperability rules requires a full technology stack encompassing cloud-based computing, application programming interfaces (APIs), new data standards, such as Fast Healthcare Interoperability Resources (FHIR®) and streamlined, iteration-based methods of developing and refining software capabilities, such as Agile methodologies. The CMS transparency and interoperability rule documents are filled with references to modern technology and processes. That highlights the third major compliance trend.
- Focused on technology vs. individuals. The interoperability and transparency regulations essentially call for machines — computers — to exchange and act on health and related data. In that context, compliance must focus on ensuring software and systems comply with regulations. The compliance stakes are exponentially higher when technology is involved. An individual caregiver or administrator may make a few mistakes with data entry or access. A noncompliant algorithm could make errors in a few seconds affecting thousands of members and patients. It will be up to compliance executives to ensure the technology complies with existing privacy and consent regulations, including those at the state level, while also executing the federal requirements.
Not a job for IT
Given the highly technical content of the interoperability and transparency regulations, it’s not surprising we see many compliance executives simply turning over implementation of these to IT departments. But when compliance officers rely on IT to build compliant software, processes and procedures, we routinely see these negative outcomes:
- Lack of business engagement. Many compliance officers we meet do not actively manage the IT development efforts because they are unfamiliar with the technology involved. Their perception of compliance as an IT challenge also means they often do not involve business and strategy executives. That’s a serious omission when these mandates require publishing formerly proprietary price and contract data and releasing health data to virtually any entity or individual a member designates. At a minimum, the organization’s leaders should understand the competitive forces these rules unleash.
- Increased costs. Given little or no strategic direction or context for compliance projects, we see IT departments using high-end technology to overengineer their responses. Given that CMS regulations continually evolve, overbuilding now could wind up a wasted and expensive effort.
Consider the payer-to-payer data exchange requirements as written in the Interoperability and Patient Access Final Rule (CMS 9115-F). The rule does not precisely define how to execute these exchanges. What is clear is that healthcare organizations may comply with this specific set of requirements using manual processes and workflows until CMS offers more guidance. But we see IT organizations creating APIs to address this.
While it is laudable to be thinking about a future in which healthcare data interoperability and portability have been fully automated, spending resources on developing features that are not required now and that are likely to change can lead to underused functions, higher costs and misallocated resources. Further, rebuilding the function later under new guidance can cause budget overruns. IT needs guidance from compliance executives to ensure its efforts align with compliance priorities.
- Missed business opportunities. IT developers working on transparency and interoperability compliance efforts may not appreciate how the data access requirements create new ways to interact with members and change how the organization delivers care coordination and improves population health. The digitally informed compliance executive should have a broader perspective and can help other executives see and act on those opportunities.
A checklist for the modern healthcare compliance executive
Compliance executives clearly can take a major role in helping their organizations develop strategic, business-game-changing approaches to compliance. Doing so requires them to continually expand their knowledge base on six key technology areas critical to interoperability and transparency:
- Key digital technologies from Cloud to application programming interfaces (APIs)
- Data standards that enable multiple parties to exchange the same data
- IT methodologies & tools delivering software in record speed
- Cyberthreats and how companies defend themselves
- Key security technologies from identity management, verification, and access control
- Advanced topics such as data provenance, sensitivity labelling and consent management
The bottom line is if you are a compliance officer, your value increasingly depends on how well you understand these six technology areas. In particular, you must help senior executives and business leaders realize how data portability and price transparency compliance can reshape business and operating models. The resources below are good starting points for expanding your expertise to ensure your role’s continued relevance to the organization.