December 4, 2020 | By Sean Weiss, CHC, CEMA, CMCO, CPMA, CPC-P, CMPE, CPC
Last month, Paul Spencer, Senior Compliance Consultant of DoctorsManagement (DM) and I had the privilege of presenting to NAMAS members a course on performing a “gap” analysis in order to build a corporate compliance program that works in practice and is based on a living, breathing document. So, what exactly is a gap analysis? A gap analysis measures existing policies and standard operating procedures (SOPs) against industry standards or “best practices” (I am not a fan of best practices because no two practices are the same, nor are their operations) in addition to applicable laws, acts, regulations, etc. Results typically indicate gaps and/or deficiencies in the compliance program, including but not limited to potential regulatory violations. Identifying gaps allows one to take corrective action and mitigate ongoing and/or future risks to the business. We use the gap analysis to identify the necessity for education or remedial education in high-risk areas, targeting the differences between current knowledge, skills, and/or practice and the desired best practice/outcomes. Remember, compliance must be absolute for all providers of health care regardless of setting, specialty or insurance participation.
There are five (5) steps I deploy in a gap analysis:
- What is the current state – what is currently happening?
- What is the desired state – what should be happening?
- Steps we took to identify the gap – what is vs. what should be?
- The gap due to knowledge skill(s) – what is the underlying or root cause?
- What method(s) were used to identify the practice gap – what evidence exists to validate the gap?
One of the biggest issues healthcare entities face is “risk.” However, risk comes in various types and varying degrees. Regardless of the type of risk, ignoring it or wishing it away is not how you mitigate it. Risk can be identified through various means such as:
- inspections,
- citations,
- audits,
- information logs,
- training; and
- laws and regulations.
Beyond the above, keep in mind that risks associated with third-party relationships, including but not limited to suppliers and service providers are important from a compliance perspective. Taking the time to look at your organization holistically will aid in the process of determining the particular category or categories to focus on as part of the gap analysis.
Let’s now turn our attention to the performance of a risk assessment. The Department of Justice spells out the steps one should take to perform a risk assessment. Below, they discuss it in the context of what a government prosecutor looks for in a risk assessment:
“Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process. As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.
- Design – What is the company’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures?
- Have business units been consulted prior to rolling them out?
- Comprehensiveness – What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
- Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access?
- Have the policies and procedures been published in a searchable format for easy reference?
- Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
- Responsibility for Operational Integration – Who has been responsible for integrating policies and procedures?
- Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?
- Gatekeepers – What, if any, guidance and training has been provided to key gatekeepers in the control processes (e.g., those with approval authority or certification responsibilities)? Do they know what misconduct to look for? Do they know when and how to escalate concerns?”
Mitigation of risk is critical to covering your “ass-ets.” Choosing to forge ahead with an investigation and/or risk analysis is how an organization demonstrates “good faith” and the effectiveness of your culture on compliance. Working to cure breaches and/or issues within the operations works towards reducing regulatory fines, scrutiny and better positions for the organization and those unexpected visits. Acting in reckless disregard or in deliberate ignorance of the truth is what causes organizations prolonged legal issues.
Shifting from the gap analysis to building your compliance program is the final thing I will address in this tip. Effective compliance programs include appointed compliance officer persons and/or a committee depending on the size of the organization. As a compliance officer you have to engage in the review of allegations and or concerns raised for potential problems as part of a gap analysis. The compliance officer initiates corrective action in addition to ensuring open lines of communication with all employees and being transparent throughout the process without waiving privilege, which is why this all should be performed under attorney privilege. The gap process often brings not so evident issues to the surface creating heartburn for those organizations lacking human and financial capital to deal with the fallout and, due to complex laws and regulations many companies lack internal resources to perform a proper gap analysis and as such, things get swept under the rug with the hopes our little secret(s) never slips out into the open.