Governance, risk, and compliance — GRC — are the functions used to keep healthcare organizations safe and compliant when it comes to data. It should stand for “guard really close” because it involves protecting sensitive and private patient and company information through how it’s stored, who’s handling it, and who has access to it. The main driver of an organization’s GRC functions is compliance with laws like HIPAA, HITECH, and Sarbanes-Oxley (SOX), among many others.
Most often, GRC is thought of in relation to patient health information. But that’s not all it applies to. GRC affects the very fabric of a provider or payer organization from IT and network management to HR and team structure to vendor management and software licenses.
GRC affects not only intra-organization relations but also inter-organization relations. Between payers and providers, there are a number of points of communications in which data is exchanged, including credentialing, enrollments, claims, and the list goes on. All of these processes should fall under the GRC department’s watchful eye to ensure that payer-provider interactions are conducted smoothly and efficiently, but also safely and compliantly.
When it comes to governance, credentialing and other onboarding or RCM processes should be examined by both payer and provider organizations at their root to ensure that workflow is optimized. The data involved in these processes should be stored and managed in a way that limits the possibility of human error in handling it. For example, if the required data for onboarding your clinicians lives in the HR department’s database, but the same data on your clinicians lives in claims-related spreadsheets over in the billing department too, well, that’s not great governance of your information.
Duplicate data records are an invitation for human error, or risk. How will your teams know which record is the source of truth? If a clinician’s data is updated with HR, when, how, and by whom does it make it over to billing? Is having teams constantly recheck really the most efficient way to handle (govern) your data? The result is not only duplicative data but also custom processes at the team and individual levels. It’s not uncommon to see two colleagues sitting next to each in the billing department going about credentialing in two different ways.
When teams get creative, they may also become unintentionally less compliant. SOX dictates that certain records must be kept on file for specific lengths of time. While this usually applies to payroll and other accounting files, it can apply to some aspects of credentialing and other billing and RCM processes too. Beyond federal laws, some states have peer review laws related to medical malpractice cases that affect how medical credentialing files should be stored. If there are disparate processes within an organization for handling provider data and payer interactions, full compliance across those various approaches is not likely.
Without a doubt, the G-R-C functions are interrelated. Governance practices can put compliance at risk, and lack of compliance creates audit risk. As payers and providers look under the hood, good GRC hygiene begins with how you’re storing and using data. When data for payer-provider interactions is housed and accessed correctly, the rest starts to fall into place.
If they haven’t already, organizations addressing GRC should consider consolidating credentialing info and other provider data into one organization-wide database. Additionally, creating one system for applying those data to forms and claims can help eliminate even more risk in these processes.
In short, buttoning up GRC boils down to standardization and automation. While healthcare continues to recover from the pandemic’s effects, let’s take what we’ve learned about creatively using technology and apply it across the industry so that we can emerge with better technology, better processes, and a better system.