What is a Healthcare Compliance Plan?
A healthcare compliance plan is a document that outlines the compliance obligations of a healthcare organization, lists what measures already exist to fulfil the compliance obligations, identifies gaps in compliance, and determines what measures are required to fill the gaps. A healthcare compliance plan is a valuable tool for organizations subject to multiple federal, state, local, and industry regulations because it can deduplicate compliance requirements and enhance compliance efficiency.
Most healthcare organizations are subject to multiple federal, state, local, and industry regulations. In addition, most comply with voluntary standards to achieve or maintain accreditation. If an organization attempted to comply with each regulation and standard individually, it would likely never likely achieve a state of compliance due to number of duplicated regulations, provisions that preempt provisions of other regulations, multiple training requirements, and the speed at which regulations and standards change.
A healthcare compliance plan can simplify compliance planning by combining all the regulations and standards a healthcare organization has to comply with into a single document. The document can then be cross-referenced for duplications, contradictions, and preemptions so the organization only has one compliance blueprint to develop into a healthcare compliance program. This process also makes it easier to update a healthcare compliance program when regulations or standards change.
Typical Compliance Obligations in Healthcare
To illustrate the complicated nature of compliance in healthcare, the following table lists some of the multiple regulations and standards healthcare organizations may have to comply with.
| Examples of Federal Regulations |
| The Health Insurance Portability and Accountability Act (HIPAA) |
| Food and Drug Administration (FDA) Regulations |
| Conditions for Participation in Medicare and Medicaid |
| Occupational Safety and Health Act (OSHA) |
| Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) |
| Payment Card Industry Data Security Standards (PCI DSS) |
| Patient Safety and Quality Improvement Act (as applied by 42 CFR Part 3) |
| Examples of Voluntary Standards |
| Joint Commission Accreditation Standards |
| Service Organization Controls 2 (SOC 2) |
| HITRUST Common Security Framework (CSF) |
| ISO/IEC 27001 |
| Center for Internet Security (CIS) Critical Security Controls |
| National Institute of Standards and Technology (NIST) 800-53 |
| HHS Cybersecurity Performance Goals (currently voluntary) |
| Examples of State Regulations |
| California Privacy Rights Act |
| Connecticut Personal Data Privacy and Online Monitoring Act |
| Delaware Personal Data Privacy Act |
| Massachusetts Standards for the Protection of Personal Information (201 CMR 17.00) |
| New Jersey SB 332 |
| Texas Medical Records Privacy Act |
| Virginia Consumer Data Privacy Act |
| Examples of Local Regulations |
| Fire Codes |
| Safety Codes |
| Noise Codes |
| Building Codes |
| Examples of Industry Regulations (for Dentists) |
| American Dental Association Guidelines |
| State Dental Board Regulations |
| Controlled Substances Act |
| Environmental Protection Agency Dental Effluent Guidelines |
Combining all the regulations and standards an organization has to comply with into a single healthcare compliance plan can reduce multiple duplicated standards to just one compliance requirement. For example:
HIPAA, the conditions for participation in Medicare, and OSHA have similar emergency preparedness and testing requirements, which can be combined with local fire and safety codes so organizations can comply with five sets of regulations with just one exercise.
It is possible to map many of the HHS Cybersecurity Performance Goals (which may soon become mandatory and a requirement of Medicare participation) to the Technical Safeguards required by HIPAA, and NIST, CIS, and HITRUST controls.
It will also be possible to determine which provisions of state law preempt provisions of HIPAA, or where state law excludes covered entities from compliance in respect of PHI, but not in respect of other identifying information maintained outside a designated record set.
The Challenges of Compiling a Healthcare Compliance Plan
The challenges of compiling a healthcare compliance plan are knowing what regulations and standards an organization has to comply with, working out what measures already exist to fulfil the compliance obligations, and having a big enough spreadsheet to cross-reference the regulations and standards for duplications, contradictions, and preemptions. A solution to all three challenges is healthcare compliance software.
Healthcare compliance software helps organizations overcome the challenges of compiling a healthcare compliance plan by listing all applicable regulations and standards, mapping compliance obligations, and enabling organizations to tick off compliance checklists to determine what gaps exist. The software can then be used to (for example) create privacy policies or list required security measures to help organizations finalized a healthcare compliance plan.
In most cases, the software can be customized for specific jurisdictions or industries, and is updated automatically with changes to regulations and standards that may affect a healthcare compliance program. However, as the installation of healthcare compliance software may be disruptive to existing compliance activities, it is best to seek independent compliance advice before committing to a solution of this nature.
