Compliance Policies and Procedures: The Ultimate Guide

Compliance policy and procedure documents are the foundation of any compliance program, both in terms of organization and management of the program.But recent surveys reveal many compliance leaders are unclear on their true regulatory requirements – which leads many to miss vital policy documentation.  

This article provides a complete overview to understand and meet your requirements. Based on decades of industry experience, we explain exactly must be included in your compliance documentation and how to improve the documentation itself.  

What is the Purpose of Compliance Policies and Procedures? 

Compliance policies and procedures are an objective record of your organization’s approach to compliance. They list all activities your employees are expected to undertake – from safe handling of PHI to the frequency of HIPAA training. But these documents don’t just facilitate compliance with applicable laws, regulations and standards – they are themselves a compliance requirement. 

Are Compliance Policies Expensive to Develop? 

The average cost of developing a single policy is about $5,000.  This is regardless of whether the development is done through an outside contractor or law firm or internally by a committee within the organization.  You must also consider the resources expended to properly review and approve policy documents. This can be time-consuming and costly in terms of time and effort.

As a result, many turn to short cuts

turn to short cuts to reduce the cost, such as using policy templates already developed. Some organizations post their own policies online and are free to download. If using this approach care must be taken when copying and pasting another organization’s document for two clear reasons: 

1. There may be significant difference in the organization and management of the policy and procedures, which makes adapting them difficult.   
2. There is the question of whether the other organization correctly and consistently addressed applicable laws and regulations.   

However, there are legitimate sources that assist in developing policy documents in an efficient, effective, and inexpensive manner

What Does the OIG Say About Compliance Policies? 

The HHS Office of Inspector General (OIG) has issued a number of compliance program guidance documents, all of which stresses the importance of written compliance guidance for employees.  The OIG notes that “At a minimum, comprehensive compliance programs should include…the development and distribution of written standards of conduct, as well as written policies and procedures that promote the [organization’s] commitment to compliance and that address specific areas of potential fraud, such as claims development and submission processes, code gaming, and financial relationships with physicians and other health care professionals.”[2]  The United States Sentencing Commission “Federal Sentencing Guidelines” notes “have an effective compliance and ethics program.., an organization shall…shall establish standards and procedures to prevent and detect criminal conduct.”

The Cost of Missing Compliance Policies 

The failure to properly develop, disseminate, and train covered persons on compliance-related policies and procedures can prove to be a huge mistake that can result in a variety of liabilities, loss of revenue, and damage to reputation.  The fact is that scores, if not hundreds, of policy documents are needed to be in compliance with regulatory and care standards.  Compliance-related policy documents are needed to establish the structure and operation of the compliance program.  These alone number in the dozens.  Some of them are identified directly in compliance guidance documents, such as the duty to report, non-retaliation, confidentiality, etc.

However, most of the needed compliance-related policies are operational in nature and relate to compliance high-risk areas.  The upcoming deadline for ICD-10 Coding mandates is a reminder of this.  The deadline for these policies is October 1, 2014, and that date is fast approaching.  Those failing to meet this deadline will be confronted by a host of payment and penalty problems.  Those who have been working to revise and update the code policies know how difficult, time-consuming, and expensive it is to do this.

Which Compliance Policies Do You Need? 

The challenge is how to identify and develop all the needed policies.  The following are some common types of compliance-related policies:

• Anti-Kickback Statute
• Claims Development & Submission
• Clinical Research
• Coding
• Cost Reports
• EMTALA
• HIPAA
• Human Resources Management
• Laboratory Services
• PATH
• Quality of Care
• Recovery Audit Contractors
• Sarbanes Oxley
• Stark Law

Best Practices to Develop Compliance Policies 

There are numerous ways to create policies and procedures that support healthcare compliance. Our experience over multiple decades suggests the following step particularly important to develop policy documents that actually improve compliance: 

The following are some tips in policy development:

• Standardize polices in form and format to avoid confusion.
• Ensure all the policy statements are short, declarative, and specific to a single issue.
• Write the document in the active voice.
• Make documents user friendly to those that have to live by them.
•  Make sure the policy does not conflict with other policy documents.
• Cross reference all policies to similar ones.
• Define all key terms used in the document.
• Anchor the document in cited authority.

All policy documents should include:

• Header Block
• Background Introduction
• Purpose/Objectives Statement
• Definitions Section
• Scope of the Policy
• Policy Statements
• Procedures
• Related Policies
• References/Citations

Improve Your Compliance Procedures with Strategic Management Services 

Developing compliance policies and documenting them is complicated and time-consuming. But the worst part is many organizations undertake these tasks without a complete view of their true compliance program efficacy – which means they may not map onto reality. 

Strategic Management Services helps you evaluate your program, understand your requirements, and develop policy documentation that matches your true needs. With tailored services to understand, review, and remediate your compliance program, we protect you from risk and ensure every aspect of compliance is effective. 

Want to explore our services? 

Book a Consultation 

Frequently Asked Questions (FAQ) 

1. What is a Compliance Policy? 

A compliance policy is a set of guidelines and practices that an organization develops to ensure that it and its employees meet all regulatory and ethical requirements. They are generally mapped around specific industry regulations. 

2. How Many Compliance Policies Do I Need? 

The average US healthcare organization is subject to 629 regulatory requirements across nine domains. However, the number of discrete compliance policies required to meet those requirements is unclear, and many organizations have separate policies to cover specific regulations, such as HIPAA policies, billing policies, or employee training policies – making an exact number hard to quantify. 

3. How Should I Create Policies and Procedures? 

The process should take a few key steps: 

• Identify the target regulation 
• Outline your policy objectives 
• Engage stakeholders to understand existing processes 
• Draft policies to ensure those processes are compliant 
• Review and revise the policies 

But many organizations lack the internal expertise or resources to complete this process. Instead, they rely on external consultants to develop and revise key policy documents like codes of conduct. 

4. How Long Does It Take to Create Compliance Policies? 

Compliance policy can be developed relatively quickly using templates, but developing them from scratch is likely to involve a lot of time and effort. There should be extensive consultation with internal stakeholders to understand how each regulator requirement impacts operations, along with careful drafting of the policies to ensure they are clear and easy to follow. 

5. What Are the Most Common Compliance Policies? 

The most common compliance policies in healthcare include:  

• Code of Conduct: Outlines the expected ethical behavior and standards for employees. 
• Regulatory Guidelines: Instructions to comply with data privacy, insurance billing, and patient care standards. 
• Company Policies: Internal rules that employees are required to follow. 
• Training Programs: Educational resources to ensure employees understand and can adhere to compliance requirements. 

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.