Effective Compliance Program

The Seven Elements of an Effective Compliance Program

effective compliance program

Healthcare Organization Fined for Multiple Compliance Failures

Fresenius Medical Care North America experienced five PHI breaches that exposed the information of 521 patients. After conducting an investigation, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), determined that the healthcare organization failed to implement an effective compliance program because of their failure to conduct a risk assessment, inadequate security policies, insufficient physical safeguards, and lack of encryption. The organization was fined $3.5 million for the HIPAA violation.

What are The Seven Elements of an Effective Compliance Program?

Behavioral health practices have an obligation to adhere to HIPAA standards to secure patient’s protected health information (PHI). PHI is any individually identifiable health information classified into 18 HIPAA identifiers such as patient name, address, and treatment information, to name a few. The Office of Inspector General (OIG) released guidance to enable covered entities (CEs) to implement adequate protections, referred to as the Seven Elements of an Effective Compliance Program.

  1. Implementing written policies, procedures, and standards of conduct

Behavioral health practices are mandated to have written policies, procedures, and standards of conduct surrounding the handling of PHI. These must be customized to apply directly to the organization, and are required to be reviewed annually to account for any changes in business operations.

  1. Designating a compliance officer and compliance committee

Although the designated compliance officer does not need to be a HIPAA compliance expert, they must be aware of their organization’s HIPAA compliance program. The compliance officer should be available to answer questions on their organization’s HIPAA compliance program. In the event of a breach, the compliance officer will coordinate with the HHS to ensure that all required documentation is in place.

Additionally, healthcare organizations should consider forming a compliance committee. A compliance committee is responsible for maintaining their organization’s HIPAA compliance, and monitoring changes in HIPAA law. The committee should consist of the compliance officer, legal counsel, IT personnel, and privacy officers.

  1. Conducting effective training and education

HIPAA requires employees to be trained annually on their organization’s policies and procedures, as well as HIPAA standards. Training must be documented to prove that all employees attended training, and understood what they were trained on. Utilizing an online HIPAA training platform is the best way to ensure that all employees are trained as they can attribute actions to specific employees.

  1. Developing effective lines of communication

Breach notification must be reported in a timely manner. As such, it is important that employees know who to report a breach to. In addition, the HHS requires employees to have a means to report breaches anonymously.

  1. Conducting internal monitoring and auditing

Under HIPAA law, it is required to complete six self-audits annually, five for business associates (BAs). Conducting self-audits evaluates administrative, technical, and physical safeguards to uncover any gaps that may exist.

  1. Enforcing standards through well-publicized disciplinary guidelines

Without written disciplinary guidelines, it is difficult to motivate employees to adhere to company policies. Many organizations fail to realize the threat employees can pose to their security. There should be clear, predetermined disciplinary actions for employees that do not uphold privacy standards.

  1. Responding promptly to detected offenses and undertaking corrective action

Healthcare breaches must be reported to the HHS as well as affected individuals.

  • Meaningful breaches: are breaches affecting more than 500 individuals. Meaningful breaches must be reported within 60 days of discovery to HHS OCR, affected individuals, and the media.
  • Minor breaches: are breaches affecting less than 500 individuals. Minor breaches must be reported by the end of the calendar year to HHS OCR and affected individuals.

An organization that experiences a healthcare breach must develop corrective action plans to ensure that a similar breach does not occur in the future. If the breach occurs from an internal entity, the organization should retrain employees to ensure that they understand what is permitted and what is not. Healthcare breaches that occur due to an external entity should assess security measures to determine where security gaps are. Once gaps are determined, remediation efforts should be implemented to address identified gaps.

When creating a compliance program, behavioral health practices should look to the Seven Elements of an Effective Compliance Program for guidance. Implementing an effective compliance program protects organizations that are subject to a HIPAA audit, as it enables them to prove their “good faith effort” towards HIPAA compliance.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

HIPAA Webinars:

Cyber Security


Cyber Security: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice and Your Clients/Patients

Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?


Social Media and HIPAA Compliance


Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age

Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!


Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.



Rate this post!

(1 raters, 5 scores, average: 5.00 out of 5)

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.