As EMS agencies begin to implement mobile integrated healthcare (MIH) and community paramedicine (CP) programs and begin to partner with other healthcare providers, organizations, and institutions within their communities, they may find themselves having some uncomfortable, and at times confusing, conversations with these other providers. Specifically, I am referring to inquiries regarding the agency’s corporate compliance program.

For most EMS providers, when they think about a compliance program, they think in terms of specific areas or fields of compliance. For example, OSHA compliance, HIPAA compliance, Medicare billing compliance, and so forth. But for other healthcare providers and institutions, the concept of “corporate compliance” represents a much broader spectrum than any one particular area.

A true corporate compliance program is a written and operational commitment to organization-wide compliance with all applicable laws and regulations—not just one particular area or another. Corporate compliance programs are rooted in the U.S. Sentencing Guidelines, which are used to determine applicable sanctions in the event of a federal criminal law conviction. Although comprehensive compliance programs are technically voluntary, all healthcare providers who bill federal programs or receive federal grant funds are expected to have effective comprehensive compliance programs in place. And, if an organization gets in trouble with any federal or state or even local agencies or programs, if the organization has a compliance program in place, and it was followed, that will be taken into account as a mitigating factor when it comes to sentencing the company for crimes and/ or levying fines.

The existence of a comprehensive compliance program within your agency will be especially important to the community partners you seek to work with, because even though the EMS world has historically not been subject to much scrutiny outside of OSHA and Medicare compliance, the community partners themselves are closely watched and monitored, and are required to ensure that anyone they partner with has compliance controls and systems in place that meet their own internal standards. This may be a bitter pill for some EMS agencies to swallow if they wish to do business with other organizations and institutions in their community, especially in terms of cost.

However, a comprehensive corporate compliance program does not have to be an overwhelming task to implement or maintain. In fact, everything is scalable and based on ongoing risk assessments. In the end, it all comes down to the level of risk-tolerance the agency has in any particular area, i.e., how much of a risk to the welfare of the agency is a particular item, area or issue from a legal and regulatory compliance standpoint?

So, how do you get started? Even if you are considering purchasing a “canned” compliance tool such as a policy manual and forms, you still need to customize those policies and tools for your own organization, so the following steps will still apply.

Evaluate the compliance risk

Start by defining the key components necessary to evaluate whether there is a compliance risk in a particular area of your business, such as OSHA, human resources or billing. Use a gap analysis to conduct the evaluation; in other words what are the steps necessary to move from the present state of affairs to the future goal or ideal state that you want to achieve?

Develop policy Conduct an inventory of your existing polices. Do they cover the areas where you have found risk to exist? If existing policies are inadequate (or do not exist in the first place), strengthen or develop them outright. The development goal here is to make sure you are conveying the appropriate message to the targeted audience. For example, senior management with years of experience may not need a step-by-step detailed process spelled out in a written policy, while field staff or newer supervisory staff might need a higher level of detail to reach the same end result. Also, make sure that you have a written statement of corporate philosophy, which conveys a strong promise and commitment to compliance across the organization. But, don’t get bogged down in the details; your policies and statement of corporate philosophy do not have to be fancy! They just have to address compliance risk areas, the dedication to support compliance initiatives within the organization, and provide sound guidance if something should arise.

Embed the policy

This means having a centralized repository for policies, such as in a hard-copy manual or employee-only section of the agency’s website, where the policies are easily accessible to all employees no matter what their rank or position. Develop a compliance communication plan, which is simply a fancy way of saying have a plan to update employees on policy changes, and execute the plan each time a policy is added or updated on a rolling basis. The communication plan should also include a compliance education plan, whether that is a required annual review of a particular set of policies (for example, annual HIPAA compliance or sexual harassment training), or because you have rolled out new policies in a particular area. After all, you cannot expect employees to comply with new or updated policies if you have not educated them on the changes or contents. And finally, whenever you add new business process changes (for example, adding new services such as a CP program or a nurse hotline), make sure to ensure compliance by developing and embedding new policies.

Education

Education is the key to success with all compliance programs and that is why it is critical to provide proper, periodic, and effective education and training of management and personnel at all levels. Develop training methodology and plans, and source and deliver the necessary training (training can vary according to specific group, e.g., a receptionist does not need full billing compliance training). Also be sure to track delivery and attendance. Most government agencies will want to see proof that compliance training was provided, what the contents of the training consisted of and whether or not the offending party(or parties) attended that training.

Monitor & measure effectiveness

Use a system of checks, measures and balances to ensure the program itself is working, and that it is practical, meaningful, reliable and not overly complex.

Specifically target and identify what you are monitoring; design specific steps (i.e., How will it work? Who is responsible for making sure it works?). Review all compliance related programs periodically (at least annually, if not more often). The review should be conducted by your agency’s compliance officer and/or compliance committee, and should include a compliance program effectiveness assessment. Your agency’s board of directors or owner(s) should also conduct self-evaluations to ensure their knowledge and compliance with required compliance objectives and policies.

Respond to detected offenses

This cannot be stressed enough: Immediately investigate any reports of, or observations of, detected offenses. This means reviewing documents, performing systems analysis, conducting interviews, creating and maintaining an investigative file (be sure to include documentation and detailed description of investigation conducted), and enlisting the assistance of legal counsel. Then take corrective action steps appropriate to the violation.

Enforcement

When it comes to enforcement, or taking corrective steps, the range of permissible disciplinary actions should be well-publicized and distributed to all employees and contractors. Sanctions for noncompliance should be applied as uniformly and evenly as possible, and sanctions should apply to all employees and contractors regardless of title, role and importance.

Element of employee performance

Ensure that all employees fully understand that ensuring compliance with applicable laws and regulations is a big part of their job, and that participation in the organization’s compliance program is an element of employee performance. Clearly state in your normal employee manual or handbook the range of permissible and impermissible actions, as well the consequences of failing to abide by those requirements. It is OK to summarize compliance policies in the employee handbook, but at a minimum, the key elements of policies, the range of permissible sanctions for compliance violations, what happens in cases of intentional failure to comply, what happens when failure to detect and comply is due to employee negligence or reckless conduct, and who is responsible for determining appropriate discipline should be spelled out. And, as noted above, be sure to conduct periodic training in compliance policies and procedures. Don’t forget the power of positive reinforcement, either!

Reporting

The board of directors and senior management should receive regular reports from the compliance officer and company managers in the areas of general and specific compliance, quality measures and benchmarks, and finances. Employees and third parties should also be encouraged to report real or perceived compliance issues or identified opportunities for improvement, and in some cases, reporting back to employees or third parties about changes resulting from identified compliance issues may be advisable or even required. Also, be certain to have a method available to employees that allows for anonymous and confidential reporting of problems or concerns (e.g., a telephone hotline, a complaint box, a post office box or via the Internet).

Records & information management

As noted in a previous article, information is at the center of everything an organization does, and records (a subset of information) are evidence of what the organization does. Therefore, records and information management policies and procedures must be established for all of the following: records creation, distribution, retention and destruction, and assurance of appropriate and timely documentation of patient care. This applies to compliance records and policies as well as general business records. If you find yourself having to defend an alleged compliance violation, records are the evidence that will make or break your case. As a result, it is imperative that you have a solid records and information management compliance program incorporated into all of your other programs. And, as always, make sure you have strong policies for maintaining the privacy and security of information—patient, billing or otherwise.

Role of legal counsel

Never underestimate the role of legal counsel in your compliance initiatives and programs. Legal counsel can provide legal advice and final word on all legal questions, and serve as subject matter experts in various legal and regulatory areas. They can interpret and assess the external enforcement and liability environment, and lead and assist with investigations, risk assessments, and gap analysis, all possibly under the protection of attorney-client privilege. They can also assist with policy drafting and implementation, training, and general problem-solving.

Finally, keep in mind that a positive program gets better results. Keep it simple, communicate, educate, respond to detected offenses and monitor program effectiveness. When combined effectively, all of these elements will help you create a best-in-class compliance program.

This article only scratches the surface and is the first in a series of articles addressing compliance in MIH/CP practice. As always, if you need legal assistance, please be sure to contact an attorney.