08.08.2024

10 reasons to schedule a full compliance risk assessment – including some surprising benefits

By J’NON GRIFFIN
RN, MHA, HCS-D, HCS-H, HCS-C, HCS-O, COS-C
Sr. Vice President of Compliance & Coding

Behavioral health providers know full compliance risk assessments play an important role in lessening the likelihood of a data breach or avoiding criminal or civil monetary penalties from the Office for Civil Rights (OCR).

But SimiTree’s clients are often surprised to learn a full compliance risk assessment offers other benefits as well.

Did you know, for example, that a full compliance assessment helps many organizations determine when, how, and whether to rely on data encryption, where and how data transferring processes may need to be secured, or which personnel screening measures need to be updated?  

A compliance assessment targets primary diagnoses rejected under Medicare Advantage plans serving behavioral healthcare recipients and highlights where and how clinicians may be struggling with new E/M guidelines or capturing total time.

It can show Substance Use Disorder (SUD) service providers where they need to make adjustments to consent forms, privacy notices, and other documents to meet new confidentiality requirements under recent revisions to 42 CFR Part 2 in accordance with the CARES Act.  (Read more about those revisions here.)

It identifies quality reporting issues for Certified Community Behavioral Health Centers (CCBHCs) – and the list goes on.  

What is a risk assessment?


A full compliance assessment provides a cross-sectional organizational analysis based on data review, performance assessment, comparative industry metrics, and interviews.

Compliance is confirmed through review of policies and procedures, service recipient records, confidentiality agreements, personnel records, and other information sources. Billing practices are reviewed for irregularities and high-risk codes and procedures likely to trigger audits, fraud investigations, or result in claims delays and denials.

The organization is also evaluated on security measures such as its PHI management.

Measure your organization’s risk remediation.

A  full compliance assessment can effectively illustrate to a behavioral health organization the effectiveness of its existing controls and risk remediation.

The Office of Inspector General (OIG) wants providers to do exactly that.  In comprehensive new compliance guidance issued in late 2023, the OIG recommended all healthcare providers conduct full compliance risk assessments in addition to regular self-monitoring.

A full assessment can help identify new areas which may be appropriate for routine monitoring. Many federal health care programs require monitoring in areas including:

  • High-value billing codes

  • Medical record documentation, including complexity of medical decision-making

  • Medical necessity of admission and/or services provided

  • Contracts with referral sources


Here's a look at 10 specific benefits of a full compliance assessment.


10 reasons to schedule a full compliance risk assessment

  1. Avoid penalties and sanctions. Mitigate the risk of running afoul of the Office for Civil Rights (OCR). The OCR enforces compliance with sanctions and civil money penalties levied for fraud, waste, and abuse. Criminal penalties may also be imposed and enforced by the U.S. Department of Justice. A full compliance risk assessment will identify your organization’s vulnerabilities.    

  2.  Pinpoint deficiencies that could result in survey citations. A full compliance risk assessment can survey-proof your organization. For a look at the most common survey deficiencies in behavioral healthcare, check out this previous Compliance Report. 

  3. Lessen the likelihood of a data breach. The cybersecurity attack on Change Healthcare earlier this year was the most widespread cyberattack on the U.S. healthcare system to date, affecting providers of all types. Identify your organization’s privacy and security risks with a full compliance risk assessment. And if you need a few pointers on crafting your organization’s Data Breach Crisis Management Plan, you’ll find them here.

  4. Improve personnel screening measures. Is your organization relying on risky personnel screening processes? A risk assessment can help identify how and where processes may need to be updated.

  5. Identify data risks.  Healthcare organizations often need assistance identifying data that needs to be backed up and determining how to safely do so. A full compliance risk assessment can help with that.  

  6. Make important data security decisions. Wondering whether to use encryption? Information from a compliance risk assessment can help in important decisions about whether and how to use encryption.

  7. Protect data integrity. A full compliance risk assessment can assist behavioral healthcare providers in determining specific data that may need to be authenticated in particular situations to protect data integrity.

  8. Ensure secure data transmission. A full compliance risk assessment can help organizations determine the appropriate manner of protecting health information transmissions.

  9. Improve ongoing monitoring efforts. Whether it’s regular screening of the State licensure and certification database or the State Medicaid exclusion list, a full compliance assessment will help evaluate your organization’s ongoing monitoring processes to determine whether they are effective, still needed, or performed at the appropriate interval. Read more about setting up self-auditing and monitoring programs here.

  10. Evaluate business associate risks.  Doing business with other entities brings additional risk. Can your organization be confident its contracted vendors are following federal, state, and other requirements for confidentiality and data privacy? Does your contract address what happens in the event a business associate fails to meet requirements? A full compliance risk assessment can help organizations identify risky business agreements.

Let SimiTree help.

SimiTree’s compliance experts see the interconnected nature of HIPAA privacy, compliance, regulatory, and quality goals. We can help clients review their organization's HIPAA privacy status, billing practices, clinical documentation, and more.

Our full compliance risk assessments offer the peace of mind your organization needs

 to ensure the highest level of accuracy and performance.  

Reach out to us today and let’s work together to shore up compliance and improve performance at your organization.

Your questions matter! Tell us what to write about. 

Rapidly changing regulations are impacting all behavioral health providers and creating many areas of uncertainty for providers. We want to address the questions that matter most to you in this weekly space. 

Ask your compliance questions – or request the specific topic you’d like more information about – by writing to me at jgriffin@simitreehc.com to let me know what you’d like to read about in a future Compliance Report.

Make sure you’re subscribed.


It's more important than ever to stay abreast of compliance issues in 2024 -- and I don’t want you to miss any of my Weekly Compliance Reports. Be sure to add your name to the subscription list here.

Why not invite the compliance officers you know to sign up as well?
_________________________________
J’non Griffin serves as Senior Vice President/Principal for the Compliance and Coding divisions at SimiTree. Her healthcare career spans three decades of clinical and leadership experience, and she has a track record of helping many provider types implement effective compliance programs. She is a certified ACHC and CHAP consultant and holds additional certifications in diagnosis coding and other healthcare specialties. As an AHIMA ambassador, she was instrumental in the implementation of ICD-10.