What are the Seven Elements of a Compliance Program?

The purpose of a compliance program is to help organizations in an industry create a culture of compliance in their workplace. A compliance program has seven elements or integrated processes. If applied properly, the seven elements can be useful for simplifying operational procedures, optimizing organizational performance, and reducing total expenditures.

Although any industry can use the seven elements of a compliance program, the healthcare industry was the first to apply them during the 1990s. Healthcare fraud and abuse were increasing and there seems to be a “compliance disconnect” at the implementation level in a lot of hospitals and health systems. Though the seven elements are already in use for twenty-five years, not necessarily for addressing the same problems, a lot of organizations continue to use them as they are in their original form.

The Seven Elements of a Compliance Program

There have been several amendments or extensions to the seven elements to satisfy company or regulatory standards. For instance, when the Affordable Care Act required a compliance program for some healthcare providers to qualify for Medicare (42 CFR §483.85), one element was added that forbid companies in assigning discretionary authority to persons who “the company knew, or should have known by means of exercising due diligence, had the tendency to participate in criminal, administrative, or civil violations of the Social Security Act.

However, many companies still use the original seven elements of a compliance program as detailed below:

Element #1 Develop written policies, procedures, and standards of conduct

The first element of a compliance program shows why the importance of looking at a compliance program holistically since it requires the creation of standards (etc.) as directed by a compliance officer. However, companies are advised to assign a compliance office only in element #2.

Compliance programs must create and distribute written compliance standards, procedures, and practices that direct the facility and its employees in daily operations. These policies and procedures must be created with the help and oversight of the compliance officer, the compliance committee, and operational administrators.

Element #2 Assign a compliance officer and compliance committee

When assigning a compliance officer and creating a compliance committee, it is usual to choose from the HR, operations, or legal teams or the department leaders. It can be a mistake to choose from the legal team, for example, because of the lack of understanding of the real-life issues of compliance in the organization.

Although it is a good idea for a person with authority to head the compliance committee, it is advantageous to choose someone with public-facing roles (like healthcare professionals) and a combination of people from the administration, IT, and security who can give ideas on which policies are going to work and which ones will not without making changes to the current working practices.

Element #3 Administer useful training and education

Including training and education in a compliance program is not hard for the majority of companies in the healthcare sector, as most need to be in compliance with the HIPAA training standards. Although, some need to have yearly compliance training before being allowed to participate in the Medicare program.

OIG notes that in the original seven elements of a compliance program, continuous retraining of employees at all levels is an important element of a good compliance training program. In addition, following the elements of the compliance program is a factor used for assessing the work of managers and supervisors.

Element #4 Establish effective channels of communication

Having effective channels of communication is crucial because it makes it easy for staff members to ask questions, report violations, and give comments on corrective action plans that may require changes to policies and procedures and more training.

Hence, the effective channels of communication between the compliance officer/committee and staff members should have a hotline or anonymous reporting system to accept questions, reports, and comments. Companies must also include procedures that safeguard the anonymity of complainants and keep whistleblowers safe from retribution.

Element #5 Perform internal monitoring and review

This element gives executive officers the means to oversee the compliance program by asking for compliance reports and reviews from the compliance officer. In healthcare systems, the conduct of reports and audits must be regular to adhere to the HIPAA requirement for routine risk analyses and be ready all the time for an executive audit.

When executive officers take part in this process, it opens the channels of communication “from the top to the bottom”. Even if it isn’t always practical to have employees speaking directly with the executives (and vice versa), it shows the commitment to compliance of the whole organization.

Element #6 Implement standards using well-communicated disciplinary guidelines

Many companies give disciplinary guidelines during training. In the healthcare industry, the standards associated with training and sanctions are mostly linked to the Administrative Requirements of the Privacy Rule, hence it is unusual not to include an explanation of the company’s sanctions policy in preliminary HIPAA training.

When it comes to implementing standards, it is necessary to apply sanctions fairly. When one group of employees is sanctioned more frequently or more severely compared to another group for no good reason, executive officers must know why. Although maybe one manager is implementing standards over-eagerly, it’s also possible that another manager is permitting the workforce to take the easy way of compliance “to finish the job”.

Element #7 Respond immediately to identified offenses and take corrective action

In the original seven elements of a compliance plan that were published in the 1990s, the seventh element focused on finding fraud, reporting it, and imposing sanctions or measures to keep it from occurring again. Today, fraud prevention is a less important goal of a compliance plan. Hence, this element is just used to track the efficiency of the compliance program and enhance it where needed.

For instance, when an offense happened because of a flaw in a policy (element #1), insufficient training (#3), a communication issue (#4), or a monitoring problem (#5), the compliance officer (#2) may review the current policies, procedures, and standards, and revise them as needed (#7). When the offense happened because of what a non-compliant member of the workforce did, it may be necessary to increase the penalties in the sanctions guidelines (#6) to make it more of a deterrent.

The Challenges of Adopting a Compliance Plan

In the healthcare industry, most of the elements are or must be established already. It is required for HIPAA-covered entities to have created policies and procedures to be in compliance with the Privacy Rule, have a training and corrective program set up, and have protocols for doing internal audits and reacting to data breaches.

Hence, what is left for the compliance officer to do is to make the seven elements of a compliance plan well-integrated. When managed properly, the plan will help companies to create a culture of compliance with lower costs, better organizational operations, and good quality healthcare.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone