Healthcare compliance organizations have traditionally been focused on human behaviors inside the walls of a single organization. That’s rapidly changing with the advent of the Interoperability and Patient Access Rule and the Transparency in Coverage rule. The scope of concern of regulatory compliance professionals now must cover how a healthcare organization interacts with other entities, members, providers and patients in the industry ecosystem. New regulations are increasingly concerned with technology compliance and can reshape business and operations models. Compliance officers who help their organizations respond effectively to these forces will remain valued, relevant resources. Achieving that position requires them to build new skills and actively participate in developing strategies that deliver compliance alongside new business capabilities.

Trending: Ecosystem-wide, technology-centered health compliance

The traditional healthcare compliance executive is well-schooled in the Health Insurance Portability and Accountability Act (HIPAA), the Affordable Care Act, Stark laws, corporate integrity agreements and more. In our experience, they are less well-versed in the digital topics, trends and technologies that inform the interoperability and transparency regulations. These include the following:

  • Ecosystem-driven compliance. Compliance activities, such as training personnel to follow HIPAA privacy procedures, typically have focused on internal users and procedures. When other parties are involved, such as the Centers for Medicare & Medicaid Services (CMS) or provider organizations, all are bound by similar ethics and many of the same regulations.

    Now personal health information (PHI) may be shared by and among multiple external parties, some of which may be outside the healthcare industry. To take one example, the interoperability rules allow a patient to designate someone as their “personal representative.” This representative may authorize a payer to allow a third party, such as an app or a non-traditional health provider, to access the patient’s data. Compliance officers must understand this new member right and its related identity management, documentation, expiration/revocation and auditability requirements, all of which must be carried out even when the personal representative is not a plan member.

  • Increased technical complexity. Tracking and managing this third-party data access and use require modern digital technologies many compliance officers have not previously monitored. Many of healthcare’s current electronic transactions are relatively simple from a technology perspective. Many are one-to-one transactions, such as sending an eligibility file to the CMS or receiving the EDI 837 Healthcare Claims Transaction Set (a long-established standard) from a provider.

    By contrast, complying with price transparency and interoperability rules requires a full technology stack encompassing cloud-based computing; application programming interfaces (APIs); new data standards, such as Fast Healthcare Interoperability Resources (FHIR); and streamlined, iteration-based methods of developing and refining software capabilities, such as Agile methodologies. The CMS transparency and interoperability rule documents are filled with references to modern technology and processes. That highlights the third major compliance trend.

  • A focus on technology vs. individuals. The interoperability and transparency regulations essentially call for machines — computers — to exchange and act on health and related data. In that context, compliance must focus on ensuring software and systems comply with regulations. The stakes are exponentially higher when technology is involved. An individual caregiver or administrator may make a few mistakes with data entry or access. A noncompliant algorithm could make errors in a few seconds affecting thousands of members and patients. It’s up to compliance executives to ensure the technology complies with existing privacy and consent regulations, including those at the state level, while also executing federal requirements.

Not a job for IT

Given the highly technical content of interoperability and transparency regulations, it’s not surprising we see many compliance executives simply turning over implementation of these to IT departments. But when compliance officers rely on IT to build compliant software, processes and procedures, we routinely see these negative outcomes:

  • Lack of business engagement. Many compliance officers we meet do not actively manage the IT development efforts because they are unfamiliar with the technology involved. Their perception of compliance as an IT challenge also means they often do not involve business and strategy executives. That’s a serious omission when these mandates require publishing formerly proprietary price and contract data and releasing health data to virtually any entity or individual a member designates. At a minimum, the organization’s leaders should understand the competitive forces these rules unleash.

  • Increased costs. Given little or no strategic direction or context for compliance projects, we see IT departments using technology to overengineer their responses. Given that CMS regulations continually evolve, overbuilding now could result in wasted and expensive effort.

    Consider the payer-to-payer data exchange requirements as written in the Interoperability and Patient Access Final Rule (CMS 9115-F). The rule does not precisely define how to execute these exchanges. What is clear is that healthcare organizations may comply with this specific set of requirements using manual processes and workflows until CMS offers more guidance. But we see IT organizations creating APIs to address this.

    While it is laudable to be thinking about a future in which healthcare data interoperability and portability have been fully automated, spending resources on developing features that are not required now and that are likely to change leads to underused functions, higher costs and misallocated resources. Further, rebuilding the function later under new guidance can cause budget overruns. IT needs guidance from compliance executives to ensure its efforts align with compliance priorities.

  • Missed business opportunities. IT developers working on transparency and interoperability compliance efforts may not appreciate how the data access requirements create new ways to interact with members and change how the organization delivers care coordination and improves population health. The digitally informed compliance executive should have a broader perspective and can help other executives see and act on those opportunities.

A checklist for the modern healthcare compliance executive

Compliance executives clearly can take a major role in helping their organizations develop strategic, business-game-changing approaches to compliance. Doing so requires them to build a new personal knowledge base. The following checklist outlines six key technology areas critical to interoperability and transparency. Compliance executives must rate where they land on this continuum for each item:

  • I avoid conversations on this topic.
  • I’m comfortable participating in conversations on this topic.
  • I can drive conversations on this topic.

The upshot: A compliance officer’s value increasingly depends on how well they understand these six technology areas. In particular, they must help senior executives and business leaders realize how data portability and price transparency compliance can reshape business and operating models. The resources below are good starting points for expanding expertise to ensure a compliance officer’s continued relevance to the organization.

Key digital technologies

Cloud comes in public, private and hybrid models. Major public cloud providers include Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform. Cloud provides the scale and security healthcare organizations require to participate in the industry ecosystem.

APIs enable software systems to communicate and exchange data more easily. The Interoperability rule calls for creating a Patient Access API and a Provider Directory API.

Data standards 

Data standards enable multiple parties to exchange the same data elements in the same format and enables faster automation of decisions and actions informed by that data. The following are the key standards required for interoperability and price transparency:

 

IT methodologies and tools

Modern software development methods deliver software in weeks or months vs. years. These are some of the key methodologies and tools:

 

Cyberthreats

Data is valuable, and digital thieves have increasingly sophisticated ways to hack into systems to gather it. Learn what the major threats are and how companies defend themselves.

Key security technologies

Identity management, verification and access control become increasingly important when multiple parties may access and exchange data. Solutions encompassed by interoperability include public key management and OAuth.

Advanced topics

Interoperability requires the healthcare industry to adopt more sophisticated data security and audit measures. Compliance officers must ensure data strategies incorporate the following five capabilities:

  • Data provenance. Organizations must be equipped to answer the question, “Where did this data come from?” by systematically tracing data to its original source through a chain of transmission that includes all the entities and systems that have accessed and/or added to or altered it.
  • Data subject identity. Organizations must create systematic certainty about who created the data (which provider or providers) and whom the data is about (i.e., the patient).
  • Data sensitivity labeling. Health organizations must tag data that requires special handling by law, including behavioral health-related, substance abuse-related, etc.
  • Data jurisdiction identification. States have myriad laws governing health information and its access, storage and use, many of which involve the rights of older adolescents. Organizations must have systems for tagging which state’s jurisdiction covers a specific record so the organization can follow that state’s specific laws when managing that data.
  • Consent management. Organizations must track by what authority data has been authorized for disclosure, or other transmission, whether through HIPAA provisions, patient consent or that of an authorized personal representative..


For more information, please visit the
Healthcare and Interoperability Solutions sections of our website, or contact us.