Kenneth W. Fody
Joel Bagnal

Healthcare laws and regulations these days, particularly HIPAA and its associated technology implications, have become a maze of layers that intrude on everyday operations and require new approaches to compliance.

Unfortunately, most organizations have not adjusted and continue to use a traditional approach to compliance that lends itself to redundancy, waste, and ineffectiveness. What can you do to ensure you're keeping up with the times? Today's regulatory environment requires bringing all activities together in a coordinated process with common goals.

Past Approaches

Just a little more than a decade ago, healthcare laws and regulations were relatively simple. Government oversight of providers chiefly focused on auditing bills and payments. Litigation was a precursor of what was to come, with lawsuits often focusing on process failures (e.g., the failure to follow so-called best practices, as the cause for harm).

In this environment, organizations viewed compliance as an isolated process, responding to each law or rule individually. The manner of regulation at that time lent itself to this type of treatment. For example, the Emergency Medical Treatment and Active Labor Act set rules for when hospitals could refuse treatment or could transfer a patient from one hospital to another. To effectively address these types of requirements, an organization could create a team to modify a business process or computer system as needed.

In the early 1990s, however, the landscape began to change. Lawmakers and regulators started following the lead of attorneys and began to look beyond regulating outcomes to regulating processes. HIPAA's privacy and security regulations are the culmination of these changes. To stay compliant, entities must be vigilant in trying to uncover deficiencies, be self-correcting once a deficiency is found, and have processes in place to maintain and document continuous compliance.

Accreditation has also undergone dramatic change. Accreditation agencies like the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) used to have relatively straightforward rules and announced their visits in advance. In recent years, accreditation standards have incorporated trends in state and federal regulation. More recently, accrediting bodies have decided to use unplanned visits as a means of enforcement. Doing so has resulted in organizations appointing an area and/or official with ongoing responsibility for preparing for these evaluations.

Patient safety is quickly becoming the next lightening rod for legislative and regulatory activity. Action is still in its early stages, but an ominous indicator of what may come can be seen from California's adoption of a law requiring use of safety-enhancing technology. Similarly, JCAHO has announced that it intends to require hospitals to use bar coding technology in the future.

A New Response

Unfortunately, while regulators and attorneys have continually changed their approaches toward overseeing healthcare organizations, providers are not adapting their responses. The result is that providers are responding to thelayers of uncoordinated requirements with uncoordinated compliance activities. What frequently follows is inefficiency and waste, poor communication among different departments with similar responsibilities, and a high likelihood for conflict among staff.

To better adapt to today's changing compliance requirements, healthcare organizations should update their current compliance efforts and associated technology strategies by:

  • Aligning compliance with corporate strategy and goals
  • Securing executive support for compliance
  • Creating an environment where the approach to compliance is coordinated
  • Recognizing that compliance is continuous

Aligning compliance with corporate strategy and goals. To be most effective, compliance goals and initiatives should be aligned with the strategy and goals of the organization. For example, if a goal of an organization is to move to an electronic medical record that puts information at the fingertips of clinicians when needed, then security and privacy compliance has to accommodate this change. The key is identifying the common thread between the requirements with which an entity must comply and the goals of the company.

Securing executive support for compliance. Executives need to see that the goals of the organization support compliance activities. Therefore, it's particularly important for executives to be included in education and communications regarding compliance. When executive support is obtained, it is easier to receive necessary funding, approvals, and staff buy-in.

Creating a coordinated approach to compliance. Coordination involves identifying common activities and ensuring that the approach to these is efficient and effective. For example, hospitals must meet many standards relating to security, but compliance may be divided within an organization based on the source of the requirement (e.g., one area may oversee HIPAA-related activities and another may be responsible for compliance in relation to JCAHO's standards). By coordinating these activities, organizations can most effectively address these issues.

Recognizing compliance as a continuous process. Compliance can no longer be a one-time event; it must be continuous. The processes and tools for quality management lend themselves to the needs of compliance in this regard by helping to:

  • Identify the requirement
  • Measure current conformance
  • Determine what changes are needed
  • Document the new processes
  • Train staff on the new processes
  • Implement the new processes
  • Periodically measure conformance

Ongoing compliance management is important to keep pace with ever-changing regulatory and technical environments. A coordinated approach to compliance provides the kind of empirical data that can be used to implement short-term solutions and plan more expensive or significant technical changes for long-term solutions.

Long-Term Benefits

The biggest drawback to initiating coordination of compliance activities is that the benefits are hard to measure. How does one measure the cost of risk successfully avoided, of lawsuits not filed, or government fines not levied? Other benefits include not only efficiency in complying with current standards, but also a streamlined process for meeting future requirements.

With the new expectation that organizations will be self-policing, the penalties for failing to improve compliance activities will be higher than in the past. These penalties will be more than just financial. Success or failure in compliance will be synonymous with success or failure in patient safety, which is a fundamental goal of every organization involved in health care.

Kenneth W. Fody, Esq., is an attorney, Healthlink Incorporated, Houston.

Joel Bagnal is a senior consultant, Healthlink Incorporated, Houston.

Questions or comments about this article may be sent to Ken Fody at

Publication Date: Tuesday, June 01, 2004

Login Required

If you are an existing member, please log in below. Username and password are required.



Forgot User Name?
Forgot Password?

If you are not an HFMA member and would like to access portions of our content for 30 days, please fill out the following.

First Name:

Last Name:


   Become an HFMA member instead