Compliance-process reviews are somewhat of a moving target because of the flurry of new regulations, audits and enforcement initiatives. But the heart of an evaluation focuses on the compliance officer’s engagement and the hospital’s adherence to longstanding laws, regulations and policies, and for some organizations, it’s an exhaustive process.

For example, each of the 164 hospitals at Hospital Corporation of America (HCA) experiences an intense four-month review once every three years, said Eva Maria Wood, director of program assessment in the ethics and compliance department at HCA in Nashville. There are four parts to the review: create, collect, crunch and communicate. “It’s an easy method you can incorporate for any size or type of facility on any budget,” Wood said in an interview and at the Health Care Compliance Association Compliance Institute in Las Vegas in May.

One of four reviewers from Wood’s department conducts the assessment, and results are shared with the hospital, which then implements corrective action plans if deficiencies are identified. The review includes an assessment of compliance-officer “engagement,” Wood says, which is a reflection of both the hospital culture and the compliance infrastructure.

The first step of the compliance-process review is the hospital’s completion of seven questionnaires. The big one, with 30 topics, is for the ethics and compliance officer (ECO). The other, shorter questionnaires must be filled out by key personnel and address information security, privacy, health information management, pharmacy, records and clinical research.

For example, the ECO questionnaire covers a range of issues, including coordinating and monitoring compliance risks, marketing to physicians, conducting investigations, corporate reporting, reporting without fear of retaliation, case management, Medicare enrollment, the beneficiary inducement prohibition, and clinical documentation improvement specialists.

The hospital also must prepare documents for the reviewers, as spelled out in a request prepared by Wood’s department. The hospital submits policies, procedures and other documentation that help reviewers assess the hospital’s compliance with laws, regulations and corporate policies. Like the questionnaires, documentation is all over the map. For example, hospitals are asked to submit documentation on their compliance with HITECH/HIPAA, the Emergency Medical Treatment and Labor Act (EMTALA), DEA regulations for controlled substances, and documentation of verification of employee and medical-staff member credentials, background checks, licensure and exclusion checks.

All the information — completed questionnaires and documents — are deposited in HCA’s “teamrooms” in SharePoint, a secure database that allows access by authorized users from any location, Wood says. The compliance reviewers then dig in. They use 40 different checklists to evaluate hospital compliance (see box, below). For example, reviewers determine whether the hospital adopted HCA’s HIPAA policies in a timely manner. “The reviewer ensures the hospital has each of these in place and it has the appropriate language,” Wood says. “The hospital must have an adoption process that ensures all the policies stay up to date. As reg-ulations change, the policy language needs to be updated. So the hospitals have to update their policies by a specific date.”

Then the hospital prepares for an onsite visit from the compliance-process reviewers, which lasts 1½ days. “It’s an intense day for everyone because we are trying to fit a lot of conversations in,” Wood says. The day begins with an entrance conference with top executives and the bulk of the time is spent reviewing records management, employee personnel files and investigative documentation, which requires an in-person review. “Under our records management program, we require hospitals to take a detailed inventory of every piece of paper” and “draw maps of where all the file cabinets are,” she says. They must have retention schedules, send documents off-site after a certain amount of time and destroy them in a timely fashion. They shouldn’t be sitting in a water-logged basement. And reviewers check to see that hospitals have a plan for preserving vital records that would enable the resumption of business in the event of disaster.

Finally, reviewers put the compliance officers under the microscope. For example, does the ethics and compliance officer “have a strong enough personality to question the CEO or CFO about issues that may be happening at the hospital? Do employees recognize the ECO and know how to contact the ECO? Do they en-courage employees to bring forth any questions or concerns they might have about compliance? That culture piece is crucial to a great compliance program,” Wood says. Also, “we look at their compliance committee minutes to make sure they are leading meetings in a meaningful way and holding key individuals responsible.” She notes that many ECOs have assistant ECOs, so “we make sure the ECO hasn’t delegated the whole program to the assistant ECO.”

Hospitals Start With a Perfect Score

Then it’s time for scoring. Every hospital starts with a perfect score — 100 — and then it’s docked for each ball dropped (e.g., failure to log gifts to physicians or conduct audits per HCA policy). Minor issues, which are assigned yellow, reduce the score by 0.4%; systemic issues, which are assigned orange, reduce the score by 0.9%; and egregious issues, which are assigned red, reduce the score by 1.9%. All issues are not created equal. At the beginning of each year, they are weighted according to their risk; a low risk is one, a medium risk is two and a high risk (e.g., potential Stark and HIPAA violations) is three.

“Reviewers come back from onsite reviews and we wrap everything up,” Wood says. “We come together as a team and look at how minor or serious the hospital’s issues are.” It’s based on three months of data. There has to be consensus among Wood and the four reviewers when scoring a hospital’s compliance. “99% of the time, the scoring tool is right on.”

The percentage for each issue identified (minor, systemic or egregious) is multiplied by the weight already assigned to the risk of the issues (1, 2 or 3), and the total is deducted from 100. Then the hospital and compliance officer are graded, and the grades are converted to ratings, Wood says:

• 94% to 100% is a five, which means “excellent performance. The compliance officer is thoroughly engaged and fundamentally involved.”

• 86% to 93% is a four, which means “above average and highly engaged.”

• 70% to 85% is a three, which is “adequately and sufficiently engaged.”

• 60% to 69% is a two, which is “below average and not sufficiently engaged. Improvement is critical.”

• 0% to 59% is one, which means “performance is unacceptable. ECO is disengaged and failing to meet core requirements.”

Results Are Shared With Compliance

After they calculate the score, Wood and the four reviewers share results with the hospital and send a report to the CEO. Within three weeks, the hospital compliance officer must submit corrective action plans for areas that have red, orange or yellow ratings. “We follow up,” Wood says. “We have a tracking system” and her department’s review coordinator sends the hospital compliance officer emails checking on the progress of corrective action plans.

To get feedback on the process, Wood surveys hospitals. Most of the feedback is positive, although com-pliance officers complain about the workload. The surveys also led to one change, Wood says. Reviewers used to interview employees as part of the assessment, but a few compliance officers complained. “It was a hassle for hospitals to schedule 15-minute interviews with 10 employees and we didn’t get much information out of the interviews,” she says.

Wood says assessments of the performance and engagement of the compliance officers are a permanent work in progress. HCA started at a high level, and each year, “we dig deeper,” she says. “The important thing is to bite off what you can chew.”

View HCA’s compliance checklists and compliance poli-cies at hcaethics.com/auditing/reviews.dot.

© 2012 by Atlantic Information Services, Inc. All Rights Reserved.