We are excited to have a guest blog post from Irina Ridley, Privacy and Compliance Officer for Omada Health. Irina offers practical guidance for healthcare providers when considering digital health partners. See Irina's original LinkedIn post.
For decades, healthcare has been among — if not the most — highly-regulated industries in the United States. With good reason: payers, providers, companies, and individuals operating in this space are quite literally dealing with life and death every day. Not to mention handling the most personal and valuable information of the patients they serve.
But if you’re trying to innovate in a highly-regulated industry, it’s tempting to see all those legacy rules as hindering your progress. After all, rule-following runs counter to the “break things and move fast” ethos that has successfully birthed so many startups, and many of the older regulations weren’t written with the needs and peculiarities of digital health in mind.
But as Health & Human Services Secretary Sylvia Mathews Burwell has said, “there’s no such thing as a soft launch in health care.” The strategies that have worked to successfully disrupt ossified industries like hospitality and transportation simply don’t apply in our industry.
Because here’s the truth: compliance isn’t a dirty word. Nor should it hinder innovation. Both the regulators and innovators have the same end goal — provide exceptional care to those who need it most. The scariest outcome for healthcare is for innovation to become the industry’s riskiest proposition.
That’s why for anyone considering new health programs or benefits, it’s critical to evaluate whether a digital health company understands (and lives) the world of compliance.
Here are 5 key questions to ask a potential digital health partner before giving them the time of day.
It doesn’t matter if a healthcare startup has 1,000 employees or ten. You shouldn’t even consider a meeting if they don’t have a designated Compliance Officer and an empowered compliance function.
Bonus points: Ask them how many employees they had before adding a Compliance Officer to the mix. In my book, it can’t happen soon enough. At Omada Health, the founding team was working to fill this position from day one. I joined the company back when there were just a handful of us working out of a tiny, cramped office, years before the average startup would have brought someone like me on board.
As Sean Duffy, our CEO, once put it: “We believe that we can disrupt healthcare without dismissing healthcare. There are plenty of good reasons for regulation, and any newcomers who claim to know better without doing their homework are dangerous, period.”
Our compliance team is involved in all company activities and decisions. What’s more, we don’t simply opine at the end of a project, but function as core team members from its earliest inception, whether it’s a tiny product feature or a massive strategic partnership. The result? The centrality of compliance, not only as a process but as an ethos, feels absolutely woven into the DNA of the company.
Has it stifled innovation? Hardly. (We were recently named the #1 most innovative US healthcare company). What this has done is make us more trustworthy, helping pave the way to partnerships and collaborations with industry leaders and regulators alike.
Simply having a written compliance policy isn’t enough. You need reassurance that the employees have read it, understand it, and routinely apply it. From the CEO to the summer intern.
That is why you should ask any potential healthcare partner what’s most important for their employees to know and how they train their team. Don’t worry, this doesn’t make you a stickler.
My goal is to provide enough information so that all employees are making fully informed business decisions — but not so much that they are drowning in information overload. Lawyers like me tend to love going deep into the details, but we’ve developed training so that each department truly understands how policies, processes, and regulations applies to their everyday.
A core value at Omada is “Patients First.” This means that every decision should put the needs of those who use our program before all others. I often reference this value when distributing (yet another) piece of compliance training. It’s a great reminder of the people we’re doing this to protect in the first place. They’re worth it.
Ah, enforcement. Feels funny to question the enforcement policy of a potential health partner, but resist the urge to shy away from it. Why? Because unless a team truly understands the consequences of non-compliance, it’s impossible to expect them to take it as seriously as they should.
That’s why our compliance and HR teams work hand-in-hand. Our mutual goal is to ensure that every employee not only understands why compliance matters, but also what would happen if they were to willfully (or even accidentally) break internal or external rules.
In our eyes, a compliance violation is essentially an ethics violation. We have to take it seriously, and I’ve learned that our employees respect this stance. As our Chief Brand Officer Andréa Mallard recently put it, “It feels good to be a part of a team that’s doing the right thing in the right way.”
Employees must feel empowered to say something when they see a potential compliance violation. And any digital health company worth their salt should have a non-retaliation policy. I often joke at the end of trainings that if you “see something, say something”. But everyone knows that I really mean it. Anonymous, not anonymous, by email, phone call, face-to-face, every Omada employee is empowered to identify issues and is thanked for making their opinions heard (even if they turn out to be wrong). These issues are then discussed at our Risk Committee Meetings, where a group of us works thoughtfully — and comprehensively — to come up with great solutions.
No company is perfect, and even those with the best of policies (and intentions) may occasionally stumble.
That’s why if you ask a potential partner about how they’ve responded to compliance violations in the past and they tell you they’ve never had any, please, run for the hills. They are either lying or, even scarier, don’t yet have a good way of noticing that violations are happening.
At Omada, we have dedicated teams that are poised to come together immediately to address even the most “minor” of issues (though in my book, there’s no such thing as a “minor” compliance issue). Everything else stops and we deep-dive not only on addressing the issue at hand, but also ensuring the entire company learns from that mistake.
The good news is that the government is most interested in assessing the corporate culture of compliance. This provides the basis for informed decision making and rewards innovation; a non-compliant culture amplifies mistakes and forecloses options.
Remember, most compliance issues aren’t large-scale, naked violations. They are a piece of code too hastily written, or a turn-of-phrase in marketing that could be misinterpreted, or simply a miscalibrated business decision that could, in theory, lead to problems down the road. Human error is always going to happen, and you need partners who aren’t afraid to both admit it and be transparent with how they manage it.
As Christina Farr put it in a recent Fast Company article, “…More scrutiny can be a good thing, as it will help the companies that are demonstrating real value to stand out from the pack.”
I couldn’t agree more. So if you’re in a position of evaluating a digital health offering, I urge you to rattle some compliance cages as a first step. In my experience, companies who take their ethical duties seriously tend to have the rest of their house in order; unfortunately, recent history has shown us that the reverse is simply not true.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.