CIOREVIEW >> Compliance >>

COs: A Business Justification For Technological Resources

Michelle Marie Juhanson, CHC Director, Compliance & Quality, PerformR
Michelle Marie Juhanson, CHC Director, Compliance & Quality, PerformR

Michelle Marie Juhanson, CHC Director, Compliance & Quality, PerformR

What to do when you have a small staff, small budget, and big responsibilities?

Being a Compliance Officer (CO) is not easy. You are the face of compliance to your organization and any State or Federal regulators who oversee it. You spend your days mitigating risks, and your nights worrying about audits, fraud, and regulations. You fret about the known and the unknown. Mostly, you wonder, “How am I going to handle all of this?” The most obvious answer is: more people, but perhaps the better answer is: technology.

Unless your organization is contractually required to expand the Compliance department, it may be difficult to make the case for hiring more people. However, it is possible to make the case for adding technology to existing processes to increase the efficiency and effectiveness of the Compliance department. The purpose of this article is to give COs a business justification for technological resources.

Pressures Facing Compliance Officers

“The Centers for Medicare and Medicaid Services (CMS) is the single largest payer for health care in the United States.” If you are a CO in the health care sector, then your organization probably falls under Federal or State scrutiny in some capacity. This would apply under the following health plan types:
a. Medicare
b. Medicaid
c. State Children’s Health Insurance Program (SCHIP)
d. Federal or State/Federal Insurance Exchange
e. Accountable Care Organizations (ACOs)

If this is the case, then your organization is expected or required to operate an effective Compliance program. That Compliance program must include seven core elements:

1. Written Policies and Procedures and Standards of Conduct;
2. Compliance Officer and Compliance Committee;
3. Training and Education;
4. Effective Systems for Routine Monitoring and Auditing and
Identification of Risks;
5. Effective Lines of Communication;
6. Well-Publicized Disciplinary Standards; and
7. Procedures and System for Prompt Response to Compliance Issues

The CO must demonstrate effective management of each element. While this is a daunting task for a CO for a single health plan, it is monumental for COs with multiple health plan types under their prevue. When you add multiple State and Federal regulators to the mix it can seem downright impossible to oversee.

And yet, that is the task facing many COs across the health care landscape today. The CO must demonstrate the effectiveness of the Compliance program during an audit or as the result of qui tam (whistleblower) lawsuits.

Effectiveness lives at the very heart of this discussion. How does one demonstrate the effectiveness of a Compliance program? CMS and the Health Care Compliance Association (HCCA) suggest that the best way to demonstrate effectiveness is to have measurable evidence that the program is preventing, detecting, and correcting issues of non-compliance and fraud, waste, and abuse.

Examples of Measurable Evidence

• Scorecards and Dash board great tools for measuring performance, and can be applied to both compliance department activities and the regulated services the health care organization performs, such as enrollment, grievances, prior authorizations and appeals, etc. Think charts, graphs, and pictures.

• Risk Assessments show that the CO was aware of the compliance risks to the organization and ranked those risks based on severity and mitigating factors (such as past audit performance). There are numerous ways to conduct risk assessments. The reports can be in various formats. Heat maps are excellent visual aids to show all of an organization’s risk areas in one easy to understand document that executives find easy to digest.

• Auditing and Monitoring Reports demonstrate effective oversight of internal departments and vendors.

• Corrective Action Plans show the organization’s response to compliance issues and the amount of time spent evaluating and resolving them.

• Meeting minutes documenting that the compliance committee or governing body has evaluated these documents, and that the organization acts upon them.

• The question then becomes, “How does the CO accomplish these tasks with an often small staff and limited budget?”

Low-Tech Compliance Solutions

Most COs have access to basic and low-tech solutions to keeping track of compliance issues and audits. This includes using Microsoft (MS) Word and Adobe PDF forms to receive and document issues, as well as MS Excel and MS Access databases to track multiple issues. Most organizations have licenses for these applications therefore they are a low-cost solution. However, there are significant pitfalls to this approach.

Forms, Spreadsheets and Pdf’s

This can be very labor intensive and inefficient. For example, your organization may have different forms to distinguish issues of non-compliance from fraud, waste, and abuse cases. Your organization may also have distinct MS Excel or MS Access databases to keep track of each issue type. Each form requires unique (and hopefully documented) procedures for their use, as would each database or tracking sheet. To complicate matters further, your organization may have an additional set of intake forms for employees and vendors to report potential issues. Adoption requires the CO to develop an employee and vendor training process to ensure that everyone knows how to complete the intake forms and where to submit them.

Fileshares and Department Mailboxes

This approach presents a challenge from a document control perspective. The CO has to establish and constantly police the process for saving each document and correspondence, including file/folder naming conventions, determining the need for folders and subfolders, and ensuring that any changes to files are documented. This issue is only compounded when email is added to the mix.

Does your organization allow emails to be saved on network drives? If so, there must be a process for ensuring that every email received for compliance event is saved in the correct network folder. If not, there must be a work-around process for converting emails into PDFs and saving them in the appropriate network folder.

If your company relies heavily on MS Outlook then you may be tempted to consider establishing department mailboxes, but the perils associated with this approach are similar to the network folder approach. It is also necessary to determine if your IT department has archiving or auto deletion rules for messages older than a given timeframe. This is highly problematic for health care providers with record retention requirements.

Monitoring and Tracking of Information

This requires significant discipline to ensure that the information from each form is captured in the spreadsheet or database you have developed. It can be a difficult task, and it requires constant monitoring because you have to provide reports to various departments or agencies on either a monthly or quarterly basis. More than likely, you have or will spend a significant amount of time tracking down information that was missing from the original report or that your employees failed to transfer to the spreadsheet or database.

You may find it frustrating to monitor of all of the various files and folders or subfolders that are required to keep track of everything, coupled with the process of ensuring that your staff actually follows all of the steps required to maintain such a labor-intensive process. As the CO, you want to devote more energy to policing operations than the administrative processes developed to police them.

Making the Case for Technology

If you are like many COs, you will be exhausted by the process, and will find that the limited staff you have is equally frustrated by it. This frustration is a good thing. What you, the CO, must do is demonstrate to your CEO or CFO that the time spent on antiquated means of tracking compliance issues could be better spent on actually resolving them. How does one do this?
Simply put, you must show the amount of human resource hours spent on the old method will significantly decrease using compliance-purposed technology. There are numerous technology vendors offering products that cater to the needs of a CO. There are products that individually manage audits, compliance/fraud issues, policies, contracts, risk assessments, and or regulations and sub-regulatory guidance. There are even some technology vendors whose products manage multiple compliance responsibilities.

As the CO, you must determine which area(s) of your Compliance program would best benefi t from technological support from a budgetary standpoint. In other words, what are the tools that will provide the most bang for your buck?

In order to win over your CEO and CFO, show them that the use of technology will reduce costs and increase efficiency and compliance. Remember that CEOs and CFOs are bottom-line individuals. Appealing to the possibility of audits and government scrutiny is less effective than showing how a new system can help your organization decrease costs, while demonstrably mitigating risks. Create a documented business case for adopting a specific technology platform. Below are key concepts to consider for inclusion in that proposal.

1. Calculate the hours per week spent on the current method compared to the hours per week using the technology resource.

2. Identify the negative impact of the current method
• Did you have a hard time producing documentation for an audit? Did you have to spend days, weeks digging up data?
• Was there a negative audit finding that is directly or indirectly tied to the current method?
• Do you have evidence of employee dissatisfaction with the current process to the point that it could result in turnover?
• Do you have undocumented compliance procedures? Are those procedures scalable (meaning, can new members of the department replicate them without problems)?
• Do you have programs, audits, or goals that were deferred because there was not enough time to achieve them (and that time was lost to administrative tasks)?
• Did you lose important documentation when an employee left your company or is this a concern for the future?
• Is your organization required to retain documents for a specific time period (7-10 years)?
• Do you have any exposure for qui tam (whistleblower) or class action lawsuits—are you concerned about the ability to produce the documentation necessary on discovery?

3. Calculate the cost/resources for hiring a third-party technology vendor
• Does the vendor charge a per user licensing fee annually?
• Does the vendor charge maintenance fees?
• Does the vendor charge training fees for using the system? If so, can you afford to pay those fees whenever you hire new people, or can you commit to owning the training process?
• Does the vendor host the system or does your IT department?

Determine the cost/benefit to this approach

• Who in your organization will manage the relationship with the vendor?
• Who in your organization will be responsible for keeping up with system changes?
• Who in your organization will be the subject matter expert with the new system?
• How much time is required to develop the system to suit your department’s needs?
• Who will manage user names, passwords, and general access to the system?

4. Demonstrate that the vendor solution will alleviate your current headaches
• Document current problems one by one, and then have the vendor document how their system will resolve those issues.
• When your department has trouble, what is the mechanism for resolving issues with the vendor’s system? Is that support available 24/7 or in your time zone?
• Can you commit to adopting the new system and not reverting to old ways?
• What are the reporting capabilities, and how much effort is involved in accessing those reports? Can you customize reports or does that require coding (additional cost and time) by the vendor? Are the reports easy to use, or do you need an information solutions degree to use them?


Demonstrating an effective Compliance program requires measurable evidence. There are low-tech solutions for doing so, but they can be inefficient and labor intensive. Compliance-purposed technology can make it easier for an organization to demonstrate an effective compliance program. If you apply the recommendations above, it is possible to make a business case that will appeal gain executive level support for new technology.

Read Also

How to Use Security Assessments to Enhance Your Security Program

How to Use Security Assessments to Enhance Your Security Program

Felipe E. Medina, VP of Information Security Architecture and Operations, BankUnited [NYSE: BKU]
In A Crisis: Cold Talent Automation versus Warm Talent Key Success Factors

In A Crisis: Cold Talent Automation versus Warm Talent Key Success...

Rob Hornbuckle, CISSP - ISSMP, CISM, CRISC, CISO and VP, Allegiant Travel Company [Nasdaq: ALGT]
Physical Security for a Confident Future

Physical Security for a Confident Future

Jana Monroe, Vice President of Global Security, Herbalife [NYSE: HLF]
Wringing Value from Every Drop

Wringing Value from Every Drop

Catherine Schladweiler, P.E.Principal, Environmental Policy and Sustainability, Tucson Electric Power Company
Resource Adequacy and Grid Flexibility Depend On Analytics for Energy Storage

Resource Adequacy and Grid Flexibility Depend On Analytics for Energy...

Sean Halloran, Vice President of Wellsite Technology at Ensign Energy Services
Renewable Energy – A More Adaptive and Responsive Choice

Renewable Energy – A More Adaptive and Responsive Choice

Warren Boutin, Director, Electric Service Support, Distributed Generation, & Supplier Services, Eversource Energy