Healthcare compliance is a group effort, requiring buy-in and vigilance from every member of your organization. Healthcare organizations should cultivate open lines of communication and enact a non-retaliation policy, to encourage employees to report non-compliance activities, without fear of reprisal.

Effective communication starts with a culture that values ethics and doing the right thing. To help create such a culture, implement policies and training that:

  • State that failure to report erroneous, improper, or potentially fraudulent behavior is a violation of the compliance plan and can lead to disciplinary action
  • Identify methods that allow for anonymity
  • Clearly state there will be no retribution for reporting improper conduct

Designate a method for employees to report an incident, including an option to report anonymously. Best practices for anonymous reporting include establishing a hotline, having a drop box, or using a third party, intra office mail, or information sent via U.S. Postal Service.

Establish an effective tool to track and follow through with incident reports. Without a way process to manage incident reports, it is possible to lose track of a reported issue that might expose your organization to significant liability. Also, without follow through, the benefits of open communication will not be realized. A frustrated employee may be motivated to turn outside the organization for satisfaction. In many cases, the decision by an individual to become a whistleblower, or qui tam relator, is made only after their concerns were ignored or not investigated properly.

Incident reports might encompass anything from an employee noticing that someone at the front desk is discussing a patient’s protected health information (PHI) too loudly (a HIPAA compliance concern), to a biller in the business office noticing the improper use of a code for services performed (a coding compliance concern). Some reports will require minor staff education or policy updates; others may require full investigations including audits, disciplinary actions, self-reporting to CMS, or even refunding payments that were inappropriately billed.

Some reported concerns may be unfounded. In these cases, follow through is especially important because it lets employees know their concerns were heard and evaluated, and provides an opportunity to educate staff.

Tools for managing incident reports range from Excel spreadsheets, to paper files in a drawer, to software solutions. A good compliance solution should effectively track incident reports, the investigations of the reporting, and follow-up actions required. Effective tools allow not only for reporting and tracking of an incident, but also the organization of investigations and follow-up assignments, by offering reminders and task tracking.

Regular employee evaluations, as well as exit interviews with staff who leave, can help to identify compliance vulnerabilities. Employees may reveal concerns about a potential compliance issue during a performance evaluation, for example. Individuals will often divulge information when exiting they may not have been willing to reveal, previously. Use a checklist when conducting employee interviews, to remind yourself to cover all relevant points. Include questions regarding any known activity of non-compliance in the interview checklist. This simple step can be important to minimize the risk of a former employee becoming a whistleblower, in the future.

The purpose of open communication is to ensure that the entity has the benefit of everyone’s eyes and ears to identify and correct compliance vulnerabilities. When a concern is identified, be sure to communicate the results—including any protocols developed to correct identified risks—to relevant staff, board members, and vendors. Completing this communication loop not only demonstrates the organization’s commitment to compliance, but also allows the appropriate parties to learn from the issue.