Frequently Asked Compliance Questions - Answered.

Frequently Asked Compliance Questions - Answered.

Hey there! For this week's newsletter, we reached out to some of the sales team here at Compliancy Group to chat about what they’re hearing from prospects on the frontlines.

From the biggest compliance headaches to the most common mistakes (and how to avoid them), they’ve got some great tips and real-world advice to share. Whether you’re just getting started or looking to fine-tune your compliance game, there’s something here for everyone.

What challenges do prospects face in maintaining compliance over time, rather than just achieving initial compliance?

Biggest challenge is the tracking of year-round reviews, updates, and changes.  A one time risk assessment doesn’t allow for this type of dynamic tracking, and even the best formulated policies will stop being effective if they are not consistently reviewed.

What kinds of compliance questions do you get from organizations that have previously faced violations or audits?

The main concern of these organizations is the ability to report.  Anybody who has gone through an audit knows that the government (though I hate to say it this way) does not care about what you are doing in practice. They only care about what you can prove on paper. If you can’t show clear supporting documentation and proof of “good faith effort”, you will not pass a government audit.  

Are there any specific parts of the HIPAA regulations that clients tend to underestimate in terms of complexity or importance?

Risk Analysis and Policies are the two that immediately come to mind.  A spreadsheet and a binder that gets looked at once a year does not make these things effective.

What, in your opinion, makes an “effective compliance program”?

An effective compliance program is one that makes a difference. It is impactful.  And it changes the culture of the organization.  It is more than just a check box, it becomes a defining part of how the company operates culturally.  

How do prospects manage regulations? What’s their biggest struggle?

The larger the organization, the more complex their regulatory needs become.  Fraud, Waste, Abuse, Stark Law, Anti-Kickback, HIPAA, OSHA, state and federal reporting needs, accreditation requirements, etc. 

It’s a lot.  Most companies have spreadsheets for each reg, and there are tons of overlap between them.

Where can people find out about changes in regulations? How often should they be doing research into updates?

There are a few different resources people can use to stay up to date on changes within certain regulations.  Everything from government websites (CMS, HHS, OCR), industry newsletters, professional associations or even online communities.  

Generally speaking you want to be researching updates on at least a quarterly basis if not monthly.  Some changes may be more critical than others and can involve patient safety, privacy and/or operational standards so you want to stay ahead of them and give your organization time to adjust to said changes.

What part of the compliance process do clients often underestimate in terms of the time or resources needed?

The biggest that comes to mind is the need for ongoing regulatory monitoring and updates.  Some clients feel (or hope) that compliance is a one and done event.  Meaning they do a risk assessment in December or January and assume that they are good until next year.

Another that we hear quite often is an incident reporting process.  Many clients tell us that since they do not have a lot of incidents reported that everything must be going great.  The only thing that is worse than having a lot of incidents being reported is having no incidents.  This means that staff don’t have a method or are not comfortable reporting and therefore incidents are occurring without anyone knowing, and no remediation plans are being implemented which can cause multiple problems down the road.

What key compliance mistakes do prospects make when they try to manage compliance internally without a dedicated solution?

There can be quite a few mistakes unfortunately but some of the more common ones are:

  • Inconsistent tracking of regulatory changes risking non-compliance
  • The lack of documentation and/or audit trails
  • Inadequate risk assessments which fail to identify and therefore address any vulnerabilities 
  • Human error more prone to occur without having a standardized process based on an organization's risk profile 

In your experience, what are the most common triggers that lead prospects to realize they need to overhaul their compliance strategy?

Unfortunately the glaring trigger that is head and shoulders above the rest is an incident or data/security breach.  Needless to say more times than not this is a day late and dollar short.  In the last several months we have seen more and more events which if there is a silver lining its bringing an organization's compliance efforts to light.

Another, (which is a good thing!) is expansion or operations, locations, services or growth in general.  As practices and businesses expand, they find the old way of doing things just simply won’t work, or if it's a more manual existing process, it is no longer efficient.  This usually triggers a shift to a more central, automated and scalable compliance solution.

What are the most common compliance concerns prospects have during your initial conversations?

Most prospects are concerned with avoiding fines and penalties due to lack of compliance illustration whether that be training, or conducting an SRA or even just having templates of P&P’s. The main concern I see when speaking with prospects is that they just do not know what is considered an effective compliance program for their specific practice or business. They tend to interpret the regulation themselves and this can cause lots of misunderstandings of what actually needs to be in place.

What’s an aspect of compliance that you find is typically overlooked and not addressed?

Ongoing Risk assessments / maintenance of policies and procedures. Oftentimes smaller practices or organizations we speak with tend to overlook how important it is to be conducting a progressive risk assessment and how much can be missed when one isn’t done on an ongoing basis. This can cause compliance programs to quickly become outdated. 

Which aspects of HIPAA compliance seem to confuse people the most?

Risk Assessments - this can be a pretty heavy lift for any organization to manage and track. Especially when speaking with a group that does not have an established compliance department. Having one person, who likely holds many roles, managing even just a risk assessment can tend to be overwhelming and understanding the outcomes of a risk assessment can be convoluted, making it difficult to understand the proper corrective actions plans needed. 

Are there any gaps in training that prospects tend to have?

Typically I see prospects missing employee attestation to policies and procedures. This is a vital portion of what's considered effective compliance training. Simply educating your employees with videos is good, but to ensure they understand how your practice or business operates from a compliance perspective is vital. Giving employees access to your compliance policies and procedures is key to help avoid compliance related incidents and helps in preventing common mistakes from repeatedly taking place.

Are there specific compliance reporting challenges that prospects tend to encounter, and how do they typically address them before reaching out to us?

Typically my prospects seem to always have interest on the incident management side. They like the idea of automating the manual processes of incident tracking or having a more robust incident management system. Most of the time they already have a platform for incident management but are looking for ways to make the process more efficient. I also run into clients having manually tracking incident reporting. 

Other areas that peak interest are policy attestation, sometimes policy attestation isn't included in their solution/tier package and they are doing it manually.

And overall  the bigger picture of multiple platforms being used along with manual processes, my prospects really like the idea of tying everything together. They will typically hire a third party for risk assessments, have a policy manager platform, a separate LMS, and a platform for incident management as well.

What are some common compliance issues related to data privacy and security that tend to be overlooked by clients?

I am finding with my conversations that i'm rarely getting asked about the vendor management piece. Along with that I believe having a small amount of incidents reported is being overlooked because to me it highlights that the incident reporting set up isn’t being maximized. 

How well-prepared are clients when it comes to responding to compliance incidents, and what areas of improvement do they usually need?

From the clients POV, they think that although the process might not be the most efficient, that they would still be prepared for an incident. Most of the time they tell me that there have barely been any incidents. Which to me could mean that their incident management set up could be preventing more incidents from being reported. 

When prospects are getting audited they typically are consuming all of their time and energy on completing that audit, some areas of improvement would be having a team doing it for you and finding a way of making the process less time consuming. 


We hope you found these insights helpful as you continue to navigate the complex world of compliance! Our team is always here to provide guidance and support, whether you’re looking to improve your compliance program with our comprehensive software, or need help staying ahead of regulatory changes.

If you have any questions or would like to learn more, don’t hesitate to reach out. Together, we can make compliance simpler and more efficient for your organization.


To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics