What is Healthcare Governance, Risk Management, and Compliance (GRC)?
Healthcare governance, risk management, and compliance (GRC) are the three components of an interconnected framework that can help healthcare organizations better monitor and manage risks in order to support compliance with regulations, standards, and best practices. This article discusses the benefits of GRC in healthcare using HIPAA as an example. However, the GRC framework can be applied to most other regulations, standards, and best practices.
Healthcare governance, risk management, and compliance are often considered to be three separate activities or activities that have a linear progression. For example, healthcare governance can be interpreted as the accountability (of a team or individual) for compliance, which is then delegated in part to those in charge of assessing and mitigating risks (nurse managers, HR, IT, legal, etc.), who then develop policies and procedures and provide workforce training.
This linear approach to complying with applicable regulations, standards, and best practices can result in silos of compliance. In these silos of compliance, inconsistences in how policies and procedures are developed, implemented, and enforced can result in operational inefficiencies, a deterioration in patient care, and events that lead to enforcement actions being taken by regulatory agencies or the loss of a professional accreditation.
Why GRC is Better Together
In a GRC framework, although healthcare governance, risk management, and compliance are still the same activities, the three activities are interconnected. This means two-way communication between all three activities prevents silos of compliance and inconsistencies, changes to policies are communicated more effectively, new risks are mitigated quicker, and day-to-day events that could result in violations or complaints are avoided.
An example of how this works in practice is, a healthcare organization is permitted by the Privacy Rule (§164.512) to disclose information to an employer for the employer to fulfill their OSHA reporting obligations. The healthcare organization has developed a policy permitting such disclosures over the phone subject to the identity of the caller being verified and the disclosure of PHI being limited to the minimum necessary.
The Compliance/Complaint Quandary
The member of the workforce on duty has been trained on the policies and procedures for disclosing PHI to employers, but is concerned the caller is not who they claim to be or is requesting more information than necessary. If the workforce member discloses the information impermissibly, they would be in violation of the organization’s policies and procedures. If they do not provide the information requested, the risk exists of the employer making a complaint against the healthcare organization for not disclosing the information in a timely manner.
If a linear GRC process existed, the workforce member (the compliance component) would have to escalate their concerns to their supervisor (the risk management component), who would then have to escalate the issue to the compliance team (the governance component) and wait for an answer to come back down the chain. With a GRC framework in place, the workforce member can seek an immediate answer from the governance component in order to prevent violating the organization’s policies and procedures or risk a HIPAA complaint from the employer.
How GRC Improves Operational Efficiency
While this is a simple example of a healthcare governance, risk management, and compliance framework in action, the example doesn’t end there. The event exposed an issue in the policies and procedures developed by the organization which needs to be resolved. In this example, it is likely the compliance team would liaise with the supervisor and the workforce member to identify why the workforce member had concerns and what could be done at the point of contact to eliminate them.
This will likely result in a revised procedure (i.e., if in doubt, ask to call the employer back via their business number) which not only has to be communicated to the workforce member on duty at the time, but to all workforce members who could potentially be in the same situation. The GRC framework will enable the new procedure to be implemented quicker to prevent repeats of the situation occurring, prevent disruptions to healthcare operations, and prevent the risk of HIPAA complaints.
Software for Healthcare Governance, Risk Management, and Compliance
While a GRC framework can streamline the resolution of compliance issues to reduce risks and enhance governance, software for healthcare governance, risk management, and compliance can accelerate the speed at which such issues are resolved. For example, rather than manually communicating a revised procedure and providing training on a revised procedure, the process can be automated so that all members of the workforce who the revised procedure effects and their supervisors can be advised with the click of a mouse.
It cannot be emphasized enough that this is a very simple example. However, it should be clear to see that software for healthcare governance, risk management, and compliance could be used in far more complex scenarios to eliminate silos of compliance and inconsistencies in order to improve operational efficiency, enhance patient care, and prevent enforcement actions being taken by regulatory agencies. Organizations interested in developing a healthcare governance, risk management, and compliance framework should seek professional compliance advice.
