Search Legal Perspectives:
Quality Assurance, Corporate Compliance, and Risk Management: Overlapping But Not Identical Tools
Expectations are high for optimizing outcomes in health care in general. The manner in which health care providers working in long-term care are subject to such expectations are even higher. Some believe that the only industry more closely regulated than long-term care is the nuclear power industry.
Whether or not this is true, since the oft-referenced Institute of Medicine report leading to the enactment of the Nursing Home Reform Act in 1987 was published, Medicare and Medicaid skilled nursing facilities and nursing facilities, consumers, government and payers expect a continuing focus on quality, however defined, outcomes and resident autonomy and function. This has had a spillover effect on other elements of the long-term care continuum, particularly as assisted living facilities accept higher acuity residents and seek Medicaid payment, which carries with it increased scrutiny. In the current environment, some believe it is no longer sufficient to "do right" in providing care; it is also necessary to show how the provider strives to do right.
Quality assurance, corporate compliance, and risk management have common elements. They all represent processes by which care and services are scrutinized, audited, and generate action plans intended to benefit patients. They all represent methods by which health care providers are able to measure performance against applicable standards. There are differences as well, however.
Some of these differences are represented by the audience to which these efforts are directed. These can include staff, outside providers rendering services in a setting, patients and their families and responsible parties, government, and payers. Sometimes elements of these processes are protected under statutory or common law privileges, under the theory that candid self-examination must include an element of confidentiality. Sometimes elements of these processes are intended to be transparent to third parties, as a way for them to see how a provider of care responds to identified problems that arise and also proactively seeks out areas in which there is known risk of noncompliance.
Quality assurance (or quality improvement, performance improvement, or similar activities) refers to a process of self-examination in which identified individuals, or a committee of individuals with that authority, review situations in which actual or potential problems have arisen or might arise and look for patterns and trends that might suggest a need for broader investigation, intervention, or training. For example, the Federal Requirements of Participation (the "Requirements") that a quality assurance committee must be in place and function according to the applicable federal regulation. However, other long-term care providers may also have a quality assurance process. The federal regulation as implemented by the Centers for Childcare and Medicaid Services (CMS) makes clear that federal and state surveyors are not to use quality assurance materials as the basis for citing deficiencies, but a review of the process is conducted to ensure the SNF (skilled nursing facility) or NF (nursing facility) has a compliant process.
The existence of this federal regulation does not mean that other third parties may not attempt to access quality assurance materials, such as the minutes of such committees or reports they prepare. However, there may be other law that protects against disclosure of such material, by statute or where courts recognize a common law right to confidential self-examination. It is, therefore, important to know how quality assurance materials are handled in each particular state. As general rule, materials that are otherwise public or available to third parties cannot be made confidential by submitting them to a quality assurance committee. For example, medical records are not made confidential by submitting them for quality assurance review. By the same token, information may lose its confidential character if it is not treated as such. Facilities should discuss how materials such as incident reports or investigations are treated, even where they are not included in a medical record but are provided to government agencies. Such government reports may be required under federal or state law, but they may also lead to further investigation by the quality assurance committee.
The federal and state law may protect quality assurance materials from disclosure to third parties, but, care must be taken to have a process that qualifies for this protection. State law may dictate how such a quality assurance, peer review, or medical review committee may be created. Materials that are protected must be distinguished from those that are not otherwise confidential. Thus, for example, where nursing leadership prepares reports or conducts audits that are intended to be a form of quality assurance, it is important that the quality assurance committee be aware of and incorporate those documents in its process and deliberations.
Thus the committee should distinguish among public information it uses in its process, the minutes or reports of the committee that are for the committee's use, and, as a result, the public guidance or directives the quality assurance committee issues to the staff, such as identifying the need for training or other action in particular areas.
Corporate compliance refers to an initiative strongly recommended by the Office of Inspector General, U.S. Department of Health and Human Services for my Medicare or Medicaid Provider. Its foundation is the development of a corporate compliance plan that is scaled to the type of provider, its size, and its services, but with a common theme of identifying regulatory requirements and areas of concern or risk of noncompliance (such as through the Office of Inspector General's (OMG's) guidance for certain provider types and in its annual workplan). It includes strong elements of education, auditing, and reporting, along with whistleblower protection. The OIG has indicated that it will take into favorable consideration the presence of an effective compliance plan when regulatory violations are identified. Corporate compliance, although having a link to quality assurance, has a broader view toward overall regulatory compliance, such as focusing on reimbursement issues. It differs from the quality assurance process in that corporate compliance has an element of transparency, that is, interested persons, including government, have a greater expectation that the compliance process will lead to self-reporting of violations to the government and strong, public educational and corrective action measures. Whereas a quality assurance committee may consider risk areas on an internal, confidential basis to test whether particular issues are of legitimate concern, a corporate compliance process is more likely to announce its annual initiatives and areas of audit. Some of these areas may have been recommended by the quality assurance committee.
Risk management typically refers to the handling of events that may or are likely to result in liability to the health care provider. Sometimes this may involve an after-the-fact response to an incident or outcome. Sometimes this may refer to the handling of a particular type of risk in conjunction with a Liability insurer (to mitigate risk of liability) and legal counsel.
Particular matters may result in a referral by leadership to legal counsel for an investigation and analysis under attorney-client privilege or attorney-work product privilege. Such referrals may issue from any of the quality assurance, corporate compliance, and risk management process. The work of attorneys is subject to another body of law. In working with counsel, it is useful to discuss how that representation can proceed alongside of the provider's need to have an effective, ongoing quality assurance and corporate compliance process.
All staff are involved in these activities, even if they are not formal members of a group or committee with responsibility in these areas. This is because it is staff who have information about daily services in the facility, services rendered there by third parties, risk areas, and whether training and monitoring activities are working. It is staff members who create the underlying documentation that is the fundamental basis for all of these efforts. Thus timely, complete, and accurate documentation is essential. It is also important to understand whether any particular piece of documentation is created for one of these particular purposes, however. A system should be in place so that any given piece of documentation can be properly identified as, for example, 1) a medical record used in the ordinary course of care; 2) a business record that is not a medical record; 3) a document prepared, labeled, and used for quality assurance purposes; 4) a corporate compliance tool; or 5) a risk management document. This is particularly the case when a document is created and used at the direction of legal counsel in responding to a particular situation.
In summary, optimal outcomes consistent with appropriate expectations for patients with particular clinical conditions are a universal goal. In addition to daily, documented care, these various processes can, in their overlapping way, facilitate candid, internal self-examination and demonstrate good faith efforts to comply with regulatory and reimbursement requirements. Staff should be interested in understanding how the particular setting in which they work integrates and coordinates these overlapping but not identical efforts.