Skip to content
An outsider's perspective: 3 observations about healthcare compliance
4 minute read

An outsider's perspective: 3 observations about healthcare compliance

We've got another special treat for y'all! This time, it's a guest post from my girl Jess Luna at Conifer Health Solutions


About 26 cat-years ago, Jess introduced herself and Deena McCord to me as champions of short, to-the-point compliance training. And after many phone calls, lunches, and trips up and down the Dallas North Tollway, I can confirm that Jess and Deena are the best combination of pragmatic and forward-thinking.

We've invited Jess to the blog today to talk about anything she wants, and she's picked some of my favorite topics: organization and strategy! She'll break down what this means to her (pragmatically, of course) in healthcare compliance.

Take it away, Jess!


About two (or 3?) years ago when I worked at Toyota with my then and now colleague, Deena McCord, we received the Broadcat book from a colleague who picked it up from a conference. You know the one. We read it. We couldn’t stop talking about it.

giphyIt was so polarizing/reverse what we were taught about how to do traditional compliance training and it spoke to our inner sarcastic yet pragmatic selves. Employees don’t want to watch/do our annual check-the-box training so how can we fix it? We championed that mentality and challenged the norms/way-we’ve-always-done-things at Toyota (new cross-functional committee and all) and now we’ve both carried the torch to healthcare.

Which brings me to this article. Healthcare compliance is a completely different beast. Or is it?

(Full disclosure for context & so I don’t get tomatoes thrown at me: I am about 10 months in to my healthcare compliance career at a revenue cycle management company.)

Healthcare is like the mecca of all industries for compliance professionals. So many rules and regulations and they govern one of the, if not the, most critical things in this world: human health. While this mecca concept is not wrong—there are SO many opportunities for fraud, waste, and abuse in healthcare 😱—the foundation of tackling corporate compliance remains the same.

Here are the three big observations I’ve had in comparing “regular” corporate compliance to healthcare compliance.


1. DOJ Guidance AND OIG Guidance.

Umm, what?

I know, I know. If you’ve been in healthcare your entire career, OIG is your Hey, Arnold and PopTarts (millennial nostalgia here), or what you grew up on. But, there is an absolutely critical component missing from OIG’s 7 Elements for an Effective Compliance Program—risk assessment.

DOJ Guidance, as in the DOJ Evaluation of Corporate Compliance Programs, begins with outlining the importance of companies adequately identifying their unique risk profiles and frames up the design of compliance programs with many thought-provoking questions around risk management.

You have to have a risk-based approach because you can’t eat an elephant in one bite. But also, you probably want to build your program according to the risk of your company to strategically place your resources where they can make the biggest impact.

This is especially important in healthcare. Like I said, so many opportunities for fraud, waste, and abuse. So many processes that are missing proper governance. So many areas you could tackle, but, as in most industries, you only have so many resources. The strategy here is to focus your efforts on the dark red of the red—highest risks.

If you have a comprehensive risk assessment process in place, you can quickly identify the areas of your company that have the most regulatory scrutiny, the highest risk exposure, and the least amount of governance in place (residual risk) and build your annual work plan around those.

Key words: areas of your company. While the OIG’s Annual Work Plan is a risk factor and source for benchmarking and looking forward to potential future enforcement actions, it shouldn’t be your sole focus. Your high risks could be different from the areas in the Work Plan.

Your risk assessment process also allows you to be more objective in your work planning approach and address actual risk. Not what you *think* you should do.

Pro tip: With the current pandemic environment, when you are having to pivot this early in the year, having a solid risk assessment foundation plus a risk scoring methodology allows you to consider and score new emerging risks against your previous risk assessment results to efficiently reprioritize your work plan.

Changing business priorities means changing risk profiles and your support needs to adjust accordingly.


2. Compliance Testing instead of Compliance Auditing.

A healthcare compliance terminology norm: auditing. When you think about your classic three lines of defense model, audit has a very distinct place that is outside of compliance. Audit is meant to be completely independent and objective—effectively hands-off.

We, as compliance, should not be. We cannot assume that business owners understand how to build adequate governance or remediate risks on their own and then get frustrated when they don’t build it like we would.

Think about it this way: you take your car in to your local mechanic shop. They run a full diagnostic test on the vehicle and provide you with a report of their findings. In the report, they recommend you change your spark plugs. They also say they can’t change them for you, you have to figure it out on your own. Could you manage to change your own spark plugs? Maybe. Or maybe you get frustrated and throw your hands up and say, “Meh, I’m sure its fine. They just recommended I change them.” Fast forward a week and your car won’t start.

Compliance testing gives us the ability to test the governance (e.g., policies/procedures, process training, QA/monitoring, and escalation) of a process as well as a sample of the process output. We can require business owners to mitigate findings but we can also help them build it by providing guidance and/or tools to help with the “how.”

If we aren’t willing to roll our sleeves up and help build processes that are set up to run compliantly and efficiently, we are setting up the business to fail.


3. Just-in-Time and On-Demand Training plus eLearning Education.

Now, I know that because of SOX controls and OIG/CMS expectations and FDR requirements, etc., we are required to provide trackable training on Code of Conduct; Fraud, Waste, and Abuse, etc. And, assigning eLearning is the only realistic way to do this with large employee populations and a full or partial remote workforce. But, if we’ve learned anything from Broadcat, it’s that compliance eLearning typically provides education and not training. And if your FWA course is anything like CMS recommends, it’s probably not at the forefront of any employee’s mind.

You need something that supplements the eLearning via actionable resources that can help change employee behavior over time. This is where just-in-time and on-demand training come in. (Read more about the difference here.)

Instead of focusing on getting employees to understand why intent makes the difference between “fraud” and “abuse” (because, let’s face it, most are not attorneys), try these instead:

How about creating a pop-up window for clinicians that asks them why they are trying to enter two of the same diagnostic test?

What about creating a chart for the most frequent coding mistakes (as seen in your coding monitoring) that coders can post by their desks to quickly reference?



If all of this gives you a headache because there are thousands of processes to test, create resources for, etc. I get it. I spent my first three weeks on the job freaking out a little (A LOT) in my head. After you catch your breath though, you’ll realize how nice that risk assessment process is sounding now.

Do it. Get organized. Strategically plan. And then, jump into the dark red processes and get to operationalizing your program.