Posts in

Governance Essentials

Healthcare Non-Profit Compliance Primer
Oct 1, 2020
10
Minutes

As a healthcare nonprofit, you have the opportunity to impact thousands of lives. However, being a healthcare nonprofit comes with it's fair share of regulatory and organizational issues that can affect your long term future. 

In this article, we’ll take a look at some common types of healthcare nonprofits, common compliance requirements for healthcare nonprofits, including HIPAA, and the best ways to manage healthcare nonprofit compliance.  


Types of Healthcare Nonprofits 

As varied as healthcare issues can be, there are many different types of healthcare nonprofits too. Let's take a look at some of the most common ones below. 


Community Healthcare Centers

These are federally funded 501(c)(3) organizations that provide healthcare services to low income groups. They are generally located in areas where people do not have access to medical support. They serve people from diverse backgrounds and communities. Apart from basic healthcare, they often provide programs related to nutrition, exercise, and wellness. They form a critical component of the public healthcare system, ensuring people in both urban and rural areas benefit from healthcare innovations. Even though they’re nonprofits, they work with cutting edge technology, equipment, and systems to ensure the best care for patients.  


Drug de-addiction centers

Rehabilitation centers for drug addicts are another type of healthcare nonprofit. The cost of enrolling in a private de-addiction facility can be out of bounds for people from low income households. Unfortunately, such people are more likely to develop habits of drug abuse and dependency. Thus, they are more in need of such services. Nonprofit centers such as these help people cope with depression and anxiety, and ultimately, eliminate their dependence on drugs. 


Mental healthcare centers

While physical health is important, mental wellbeing is also a crucial aspect of healthcare. Non profit mental health organizations help people recognize signs of mental distress and address them in a timely manner. Generally, mental health is considered a taboo topic and people refrain from talking too much about it. An important role of these nonprofits is also to raise awareness about mental health issues, and encourage people to come forward and seek help. Mental healthcare centers consist of professionals who help people cope with distress, both emotionally and psychologically. 


Common Compliance Requirements for Healthcare Nonprofits

Nonprofit healthcare organizations enjoy various benefits from the government, including a waiver of taxes. Hence, they are closely scrutinized by government bodies and must comply with certain rules and laws to maintain their nonprofit status.  Organizations that fail to meet federal compliance guidelines face penalties and fines, and can also be barred from raising funds. 


Some common compliance requirements for nonprofit healthcare organizations include: 


  • Form 990: Nonprofit healthcare organizations must submit form 990 to the IRS (Internal Revenue System). This form informs them of its mission, motives, and upcoming programs. 
  • Donation receipts: Healthcare nonprofits must keep a regular account of all the donations they receive. For donations higher than $250, the nonprofit must provide the donor with an acknowledgement receipt. Donation records must be presented to legal authorities when required. 
  • Fundraising: In order to raise funds, healthcare non profits must have a state license, and renew it on a yearly basis. Those organizations that do not have a valid state license are not permitted to raise funds. 
  • HIPAA for healthcare nonprofits: HIPAA is an act that protects the healthcare information of patients and ensures it is not shared without consent. Under this act, healthcare organizations must employ a set of measures to protect sensitive health information. We have covered this act in detail below.  


Board  and Grant Reporting

The board of a healthcare non profit organization serves as the guiding light for its actions, helps ensure that it is legally compliant at all times, and manages and supervises it's activities. Each board member should have a specific role. 


First and foremost, it is important for a board to ensure a healthcare nonprofit meets rules and regulations in the healthcare industry on an ongoing basis. Board members are also responsible for providing strategic leadership, financial stability, and executive support to a nonprofit organization. 


The board must develop and communicate the organization's vision, mission, and goals. It must continually monitor the organization's progress and outcomes. Typically, a robust system for evaluating performance should include the budget, balance sheet, income statement, annual report, and financial reports. These are all critical documents when filing the 990 form. 


In terms of legal compliance, the board must ensure all 990 filings are made on a regular basis. Finally, the board is also responsible for heading fundraising activities for a healthcare nonprofit.  Successful healthcare nonprofits are generally managed by enthusiastic board members, who regularly attend meetings, actively participate in every aspect of the nonprofit's functioning, and represent the organization in a positive manner. 


HIPAA for Healthcare Nonprofits

HIPAA stands for Health Insurance Portability and Accountability Act, implemented in 1996 to safeguard the privacy of healthcare information. The goal of HIPAA is to ensure that healthcare information of the public is not shared with any unauthorized parties, without an individual’s consent. 

To maintain the security of patients’ health information under HIPAA, healthcare nonprofits are expected to do the following: 


  • Encrypt emails that contain sensitive data
  • Draft policies around how health information should be distributed and documented 
  • Avoid using fax as a method of sending health information
  • Use passwords to protect sensitive information when sending it via email or another electronic system 

The HIPAA is enforced by the U.S Department of Health and Human Services. If an employee or consumer makes a complaint, it is investigated and corrective action is taken against non compliant organizations. 

Often, HIPAA violations occur when healthcare information is stolen, sensitive data is copied, or information is disclosed verbally.  

Violation of HIPAA can incur severe penalties for healthcare organizations. These include: 


  • Civil monetary penalties for unknown violations between $100 and $25000 per calendar year per violation, enforced by the Office For Civil Rights
  • Penalties up to $50,000 and one year of  imprisonment for knowingly obtaining or disclosing individually identifiable health information. 
  • Up to $1,00,000 and five years of imprisonment, for violations made under false pretenses. 
  • Up to $2,50,000 and ten years of imprisonment, for violations made with the intent to sell, transfer, or use for commercial advantage, personal gain or cause potential harm.

HIPAA violations have cost many hospitals and organizations hefty fines. St. Elizabeth’s Medical Center was charged a fine of $218,400 after they put the public health information of nearly 500 patients at risk. In another case, the Anchorage Community Medical Health Services had to pay a fine of $150,000 after a malware revealed the records of more than 2,700 patients. The center used outdated systems and software, and did not upgrade their technology. This case underlines the importance of processes and procedures, as well as regularly checking your software for malware. 


Why does a GRC software solution make sense for a healthcare non-profit?

It can be hard to detect security and compliance issues in growing and complex healthcare nonprofits. Moreover, compliance with HIPAA and other regulations often entails huge amounts of paperwork that healthcare organizations can find cumbersome. 

A simple solution to their compliance needs is using an automated compliance software that extends across through their entire organization. This will help them maintain consistency and minimize human error. 

An automated system for healthcare compliance such as VComply offers the following benefits to nonprofits: 


  • Efficient processes: A cloud based platform for storing data protects healthcare nonprofits from manual labour, helps redirect resources to patient care, and eliminates errors. With simple checklist and reporting capabilities, you can see patient data and well as any pending compliance requirements at a glance. 
  • High level of security: Violations of HIPAA and other regulations are often a result of human error. This can be eliminated with the help of a digital system. An automated system for organizing and managing patient data is both convenient and effective for healthcare nonprofits. Regular checks and updates ensure patient data is always secure, up-to-date, and easily accessible. 
  • Compliance with HIPAA and other regulations: You already know that compliance is of utmost importance to healthcare nonprofits. With automated compliance you'll be able to enforce reliable compliance processes, keep track of changing rules and regulations, as well as get regular updates of compliance actions needed on your part. This helps you consistently meet your compliance requirements in a quick and timely way. 


We hope this article sets you up to successfully fulfill your legal compliance needs. Violations of laws such as HIPAA are often the result of technical oversight and not keeping pace with changing technology. With the right tools and software, they are completely avoidable, so you can focus on what matters most: providing world-class patient care. 

VComply Editorial Team
Read More
Six Step Guide for Vendor Risk Management Programs
May 13, 2020
4
Minutes

Enterprise Risk Management has been gaining relevance in today’s time due to the dynamic nature of regulations and a competitive market environment. Risk management internal to the company is where the majority of companies are focusing on which special emphasis on optimizing internal controls and processes. However, the major party of enterprise risk management is vendor risk. Managing multiple vendors, suppliers and partners are now difficult. With shrinking margins always the concern for corporates, companies can only focus on optimizing its costs in which effective vendor management plays an important role.

With businesses now focusing on specializing in a specific part of activities, outsourcing the critical processes and systems to vendors makes the vendor management a very important task.

Vendor risk management program is a challenging task due to the complexity arising from a large number of internal and external participant’s involvement and the vendor.

Your six step success guide for effective vendor risk management process:

Internal Controls: Establish strong and organization-wide internal controls. This would standardize the quality and requirements of the vendor. This would help in clearly assessing the vendor on various required parameters. Setting an internal control parameter on pollution levels to help judge the vendors on their products or services pollution level.

Vendor Contracts: In order to mitigate vendor risks and clearly communicate the value which vendor needs to provide, contracts are the most preferred way for a relationship. Mutual agreement of the necessary terms and conditions would bring both the vendor and customer on the same page with a clear understanding of each other’s role. Key elements should include review period, audit rights and security requirements.

Risk Assessments: Vendor Risk Management typically involves three distinct risk categories namely Business Profile Risk, Control Risk and Relationship Risk. Business Profile Risk addresses the financial, regulatory compliance, and geopolitical nature of the vendor; Control Risk addresses the processes and policies a vendor adopts to effectively deliver on the contract agreement. Relationship Risk is the risk associated due to engaging in business with a vendor.

To assess the risk, it is important to perform due diligence of the vendor. During risk assessment, set-up high-risk controls to measure, and indicators to alert when problems arise.

Onsite Audit: Conduct on-site audit to assess critical processes adopted by the vendor. Establish an audit plan before the visit so that critical areas are inspected and correct and relevant findings are documented for further review.

Reporting: Report your findings in a concise audit report providing important guidance to an internal team like legal and logistics to review the vendor and provide suggestion to the vendor to improve on its weak controls in order to be compliant with the organization.

Monitor Risks: Constantly monitor changing business environment of organizations as well as the vendor. This would help the organization to predict any risks arising due to non-compliance. You can effectively manage vendor risks by setting necessary compliances on  VComply.  Monitor the vendor’s financial health, regulatory compliances, internal controls and security measures.

VComply Editorial Team
Read More
Adoption of The GRC Regime in the Past, Present & Future
Mar 18, 2020
2
Minutes

“Knowledge constantly makes itself obsolete with the result that today’s advanced knowledge is tomorrow’s ignorance”. One has to be on the learning curve and continuously move up.  Business today operates in a highly complex & dynamic world. GRC is a discipline that brings together focus areas across corporate governance, enterprise risk management and corporate compliance. The aim of an effective GRC strategy is to ensure that the right efficiencies are brought in and more effective information sharing & reporting mechanisms are enabled.

GRC in the Past, Present & Future

GRC as an acronym denotes GOVERNANCE, RISK, and COMPLIANCE but the full story of GRC is so much more than these three words. Organizations in the past followed a non-integrated process to manage GRC. This non-integrated process led to a cumbersome environment in the organization followed by high costs, duplicacy, lack of visibility into risks,   inefficiency, greater vulnerability, Inability to address third-party risks, and too many negative surprises.

The core functionality of GRC has evolved in response to the need for a standardized and centralized data and process management structure supporting compliance and risk management functions in light of increasing complexity in both activities.

VComply helps an organization manage governance in a centralized database.

An effective GRC regime is essential in today’s business world but can be challenging to implement.  The organization in the present have realized that implementing the GRC system can lead to more efficiency, reliability and is important for sustainability and future development. GRC can altogether transform your business. But, there are certain challenges pertaining to a GRC system, workplace Silos being one of them. GRC processes operate in silos at many companies, creating abundant frameworks and systems which can result in:

  • Poor understanding of financial, operational, IT, regulatory, and fraud risks.
  • Ineffective risk minimization.
  • High GRC costs
  • Weak financial statements

Today, however, businesses are demanding much more from their GRC programs. When businesses accomplish these objectives well, they are positioned to excel in security, reliability, automation, and privacy. But first, they need to integrate GRC with the rest of the business to build a level of digital trust in terms of data accuracy and reliable business processes. Compliance can be overwhelming, but with a tool like VComply, the risk of noncompliance is enormously reduced. VComply is a one-time solution for all mid-size and large size organizations. VComply provides different solutions like Audit management, IT management, risk management, Enterprise GRC management, Performance management and many more.  

So What is GRC’s future in the next few years?

Organizations initiating or are already in the middle of their GRC journey should ideally opt for a holistic, integrated and programmatic approach. It is important to understand that responsibility for GRC compliance lies not with just a few individuals, but rather in the combined hands of the entire organization. Regardless of GRC’s past, present, or future, GRC platforms represent the best way to meet the requirements of compliance and risk management. No matter how you define it, the adoption of a GRC platform can be a defining moment at your company.

VComply ensures your organization is at the right track by providing a hassle-free environment that your business requires!

VComply Editorial Team
Read More
The components of a GRC Platform
Nov 5, 2019
2
Minutes

The most basic GRC components are provided by most of the GRC Vendors with their platforms that can be configured to fit different GRC solutions. Organizations who are looking to implement GRC technology for a specific need will evaluate the functionality and cost of the solution differently when compared to organizations seeking an integrated GRC solution.

The basic functional components of a GRC platform include:

  • Data modeling – Data modeling supports the establishment of a consolidated GRC framework and entity hierarchy within which detailed business records are managed. This core component is used across all GRC platform. The flexibility of the data modeling architecture is essential in integrated GRC deployments.
  • Content management – This component is basically applicable to individual business records. Content management supports authoring, rich-text editing, cross-referencing, tagging, workspace/file collaboration with control of version, change history or edit. This core component is featured in compliance with i.e policy management, contract management, and audit management solution areas.
  • Project management – Project management capabilities are utilized to manage project schedules, activities and work papers related to multiple GRC efforts, most notably audit and case management. These capabilities are very important when it comes to IT project portfolio management and are becoming more useful for the management of regulatory projects.
  • Workflow management – This is component is crucial because it automates responsibility and facilitates enterprise communication, collaboration, notification, accountability and assurance, and review. It is used across all GRC domains.
  • Regulatory change management: This basically incorporates external regulatory feeds from multiple content providers in order to be updated with the latest change in the regulations that take place in this dynamic business world.

Some other components that important for supporting the core architecture are:

Configuration – Configurability is essential to meeting unique customer requirements related to the data model, data input and visualization, and reporting.

Data integration – GRC platforms mostly provide seamless integration across third-party systems via a web-based application program interface (API) as well as automated common-data-format (.xml, .csv) uploads.

Data security – GRC platform vendors typically offer a role-based security architecture that supports enterprise, entity, record and field-level security.

Contextualization – When there is integration in GRC implementation, the ability to provide different navigation and input screens becomes very important for organizations because they are likely to use a more intuitive platform.

Performance – The organization must start evaluating architecture performance by establishing performance standards based on the composition of users. Many GRC platforms lack “snappiness” even when not under heavy load. Knowing the vendor’s largest implementation and comparing it with the size of yours will help ensure that the platform meets your load requirements.

VComply Editorial Team
Read More
Confused as to which Cloud Service to avail? Read on to choose better.
Jun 8, 2020
3
Minutes

While the cloud is an extremely hot topic for organizations worldwide, it is still a pretty broad concept that covers a plethora of services and delivery models. As businesses begin to consider switching to the cloud, be it for application or infrastructure deployment, it is more important than ever to understand the differences between the various cloud services.

There are three main models of cloud service to compare: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Each having its own benefits, as well as variances, making it necessary to understand the differences between SaaS, PaaS, and IaaS to know how to choose the best one.

Cloud-model

SaaS: Software as a Service
Software as a Service, also known as cloud application services, is the most commonly utilized option for businesses in the cloud market. SaaS uses the internet to deliver applications, which are managed by a third-party vendor, to its users. Most of the SaaS applications are run directly through the web browser and do not require any downloads or installations on the client side.
Due to its web delivery model, businesses don’t need to have IT staff download and install applications on each individual computer. Vendors manage all of the potential technical issues, such as data, middleware, servers, and storage, allowing businesses to streamline their maintenance and support, thanks to SaaS.

PaaS: Platform as a Service
Cloud platform services, or Platform as a Service (PaaS), provide cloud components to certain software and is mainly used for applications. PaaS delivers a framework for developers that can be built upon and used to create customized applications. All servers, storage, and networking are managed by the enterprise or a third-party provider while the developers maintain management of the applications.

The delivery model of PaaS is similar to SaaS, apart from the fact that instead of delivering the software over the internet, PaaS provides a platform for software creation. This platform is delivered over the web and gives developers the freedom to concentrate on building the software without having to worry about operating systems, software updates, storage, or infrastructure. PaaS also allows businesses to design and create applications built into the PaaS with special software components.

IaaS: Infrastructure as a Service
Cloud infrastructure services, known as Infrastructure as a Service (IaaS), is composed of highly scalable and automated computer resources. IaaS is fully self-service for accessing and monitoring things like computers, networking, storage, and other services, allowing businesses to purchase resources on-demand and as-needed instead of having to buy the hardware outright.

IaaS delivers Cloud Computing infrastructure, such as servers, network, operating systems, and storage, through virtualization technology. These cloud servers are provided to the organization through a dashboard or an API, and IaaS clients have complete control over the entire infrastructure. IaaS provides the same technologies and capabilities as a traditional data center without having to physically maintain or manage it. IaaS clients can access their servers and storage directly, but it is all outsourced through a “virtual data center” in the cloud.

Unlike SaaS or PaaS, IaaS clients are responsible for managing aspects such as applications, runtime, OSes, middleware, and data. Also, providers of the IaaS manage the servers, hard drives, networking, virtualization, and storage. Some providers also offer extra services outside of the virtualization layer, such as databases or message queues.

As we can see, each cloud model offers its own specific features and functionalities, and it is crucial for businesses to understand the differences. Be its cloud-based software for storage options, a smooth platform to create customized applications, complete control over the entire infrastructure without having to physically maintain it, there is a cloud service available. No matter which option companies choose, migrating to the cloud is the future of business and technology as we know it, and it is necessary to be properly informed.

VComply Editorial Team
Read More